Snort mailing list archives

Re: http_inspect question

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 25 Oct 2004 16:25:32 -0400

At 02:53 PM 10/25/2004, Stevo wrote:

I just installed Snort and am receiving a number of these http_inspecterrors. They are all between internal hosts and my OWA server in my DMZand I'd like to disable them, but I can't work out how!


<bares savage teeth>

Any ideas for me??  Please be gentle!


(Aw.. darn.. he asked me to be gentle)

 <slowly lips retract over teeth>


Look in snort.conf:

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

This makes http_inspect monitor more-or-less anything as a server, and anypath over 500 bytes triggers an oversize directory. This tends to be a bitnoisy.

Instead, you can tell http_inspect only to monitor specific servers forattack, and/or modify the "oversize_dir_length" to an appropriate value foryour server software:


preprocessor http_inspect_server: server 1.1.1.1 \
    profile all ports { 80 } oversize_dir_length 400
preprocessor http_inspect_server: server 2.2.2.2 \
    profile all ports { 80 } oversize_dir_length 600

You can also customize other settings, check in README.http_inspect in thedoc subdir of the tarball.

I don't know of any way to ignore specific clients, so in general your bestbet is to relax the settings for that server to the actual thresholds forthe system.

You might also want to change from "profile all" to "profile iis" or"profile apache" as appropriate. This will disable some unnecessarydetections that don't affect the particular platform. "all" tends to be ahodge-podge mode which detects anything which might trouble either kind ofserver.





-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

http_inspect question Stevo (Oct 25)
- Re: http_inspect question Matt Kettler (Oct 25)
- <Possible follow-ups>
- RE: http_inspect question Bristol, Gary L. (Oct 25)