Snort mailing list archives
Re: http_inspect question
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 25 Oct 2004 16:25:32 -0400
At 02:53 PM 10/25/2004, Stevo wrote:
I just installed Snort and am receiving a number of these http_inspect errors. They are all between internal hosts and my OWA server in my DMZ and I'd like to disable them, but I can't work out how!
<bares savage teeth>
Any ideas for me?? Please be gentle!
(Aw.. darn.. he asked me to be gentle) <slowly lips retract over teeth> Look in snort.conf: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500This makes http_inspect monitor more-or-less anything as a server, and any path over 500 bytes triggers an oversize directory. This tends to be a bit noisy.
Instead, you can tell http_inspect only to monitor specific servers for attack, and/or modify the "oversize_dir_length" to an appropriate value for your server software:
preprocessor http_inspect_server: server 1.1.1.1 \ profile all ports { 80 } oversize_dir_length 400 preprocessor http_inspect_server: server 2.2.2.2 \ profile all ports { 80 } oversize_dir_length 600You can also customize other settings, check in README.http_inspect in the doc subdir of the tarball.
I don't know of any way to ignore specific clients, so in general your best bet is to relax the settings for that server to the actual thresholds for the system.
You might also want to change from "profile all" to "profile iis" or "profile apache" as appropriate. This will disable some unnecessary detections that don't affect the particular platform. "all" tends to be a hodge-podge mode which detects anything which might trouble either kind of server.
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http_inspect question Stevo (Oct 25)
- Re: http_inspect question Matt Kettler (Oct 25)
- <Possible follow-ups>
- RE: http_inspect question Bristol, Gary L. (Oct 25)