Snort mailing list archives
Re: trouble with http_inspect
From: Jeremy Hewlett <jh () sourcefire com>
Date: Mon, 18 Oct 2004 13:50:39 -0400
On Mon, Oct 18, Larry Wichman wrote:
I am having trouble config'n my http inspect preprocessor. I do not want Apache_Whitespace alerts. Here is my config: preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252\
Remove this backslash after 1252. You're trying to line-continue a global statement into a default statement.
# preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 \ apache_whitespace no
Also, you can only modify a profile with ports, iis_unicode_map, allow_proxy_use, flow_depth, no_alerts, oversize_dir_length, and, inspect_uri_only. If all you're trying to do is squash alerts, just add no_alerts and create some "server <ip of my http server>" entries for what you're interested in protecting. Note that you can't define servers with netmasks yet - that functionality is coming. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- trouble with http_inspect Larry Wichman (Oct 18)
- Re: trouble with http_inspect sekure (Oct 18)
- Re: trouble with http_inspect Jeremy Hewlett (Oct 18)