Snort mailing list archives
v2.3 http_inspect help/issue?
From: Rich Adamson <radamson () routers com>
Date: Sun, 6 Mar 2005 05:49:46 -0600
Issue is with win32 Snort_230_Build10_Installer.exe pulled Saturday, but probably applies to nix versions as well. It installs just fine. (FWIW, been using win32 snort since about the v1.8 days.) In snort.conf, adding the "double_decode no" as in: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 double_decode no causes the following startup error: ERROR: E:\snort-v2-3\etc\snort.conf(308) => Invalid token while configuring the profile token. The only allowed tokens when configuring profiles are: 'ports', 'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l ength', and 'inspect_uri_only'. Fatal Error, Quitting.. Removing the double_decode parameter allows snort to start and function in a very normal manner. If I uncomment the ten-line example for http_inspect where the parameters are applied to a "specific server", then the double_decode parameter is accepted and snort runs fine. It would seem like the double_decode parameter should be usable in the default http_inspect statement as shown above. The logic in that thought is essentially one of... the default startup parameter for this causes a fair amount of noise when HOME_NET users visit EXTERNAL_NET web servers. Previous postings have suggested the above preprocessor statement is needed to normalize http traffic for certain rules. If that is true, then how does one eliminate the many false positives associated with double decodes if the parameter can't be applied to the default statement? FWIW, several of the parameters shown in the snort.conf example are _not_ acceptable in the above preprocessor statement, and cause snort to exit with the above error message. Is this really the expected behavior? (Perhaps my understanding of the preprocessor is not correct however.) If I use the reverse logic for the preprocessor, it would suggest one or more of the following: a) the "server default" preprocessor line can never be used when snort is monitoring internet gateway traffic (both incoming and user outgoing http sessions), as it generates lots of false positives for HOME-NET to EXTERNAL_NET traffic (eg, external web servers) and there doesn't appear to be any way to manage those alerts. b) if snort is monitoring internet gateway traffic and there are many internal web servers accessible from the internet, one would have to define a http_inspect section for "each" server, since it does not accept "server 1.2.3.0/24" logic. c) the preprocessor does not accept variables (such as HTTP_SERVERS and HTTP_PORTS), therefore one http_inspect section has to be defined for "each" internal http server. Seems like a waste when one section could be applied to all internal http servers. d) since the http_inspect preprocessor was apparently written to help protect/identify issues with company-owned web servers (not external_net servers), the README_http_inspect text should probably address the above issues in a little bit more detail, and specifically talk about the "server default" statement. Am I way off base or misunderstanding the preprocessor? Rich ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- v2.3 http_inspect help/issue? Rich Adamson (Mar 06)
- Re: v2.3 http_inspect help/issue? marc norton (Mar 07)