Snort mailing list archives

Re: trouble with http_inspect

From: Jeremy Hewlett <jh () sourcefire com>
Date: Mon, 18 Oct 2004 13:50:39 -0400

On Mon, Oct 18, Larry Wichman wrote:


   I  am  having  trouble config'n my http inspect preprocessor. I do not
   want Apache_Whitespace alerts. Here is my config:

   preprocessor http_inspect: global \
       iis_unicode_map unicode.map 1252\


Remove this backslash after 1252. You're trying to line-continue a
global statement into a default statement.

   #
   preprocessor http_inspect_server: server default \
       profile all ports { 80 8080 8180 } oversize_dir_length 500 \
       apache_whitespace no


Also, you can only modify a profile with ports, iis_unicode_map,
allow_proxy_use, flow_depth, no_alerts, oversize_dir_length, and,
inspect_uri_only. 

If all you're trying to do is squash alerts, just add no_alerts and
create some "server <ip of my http server>" entries for what you're
interested in protecting. Note that you can't define servers with
netmasks yet - that functionality is coming.




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

trouble with http_inspect Larry Wichman (Oct 18)
- Re: trouble with http_inspect sekure (Oct 18)
- Re: trouble with http_inspect Jeremy Hewlett (Oct 18)