Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http inspect editing

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 24 Feb 2005 16:46:38 -0500
At 03:51 PM 2/24/2005, David Naylor wrote:
Does anyone know how to edit unclassified rules? For example, I would like to edit or delete the rule for "double decoding attack" - http_inspect 

That's not a rule at all, it's an alert generated by a preprocessor.
Since it's not a rule, you'd need to modify the source code for http_inspect and recompile snort to do any kind of edit.
However, you can change the parameters you pass to http_inspect in your snort.conf to disable this detection. Just add "double_decode no" to your profile in snort.conf.
My personaly approach is to not have any "default" http_inspect. I only run http_inspect against my specific webservers. 
i.e:

preprocessor http_inspect_server: server 208.39.141.94 \
    profile all ports <censored rest of config>
See the README.http_inspect that comes with the snort tarball for a bit more detail on what kinds of things you can tell http_inspect to do or not do. 






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: