Snort mailing list archives
RES: RES: Snort - http_inspect
From: "Hugo Leonardo Ferrer Rebello" <Hugo.Rebello () t-systems com br>
Date: Fri, 17 Jul 2009 12:02:24 -0300
HTTP_INSPECT setting: preprocessor http_inspect: global \ iis_unicode_map unicode.map 28591 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } \ oversize_dir_length 1000 \ no_alerts Snort Version 2.8.4.1 Thank you. Cheers, Hugo -----Mensagem original----- De: Matt Olney [mailto:molney () sourcefire com] Enviada em: sexta-feira, 17 de julho de 2009 11:08 Para: Hugo Leonardo Ferrer Rebello Cc: Nerijus Krukauskas; snort-users () lists sourceforge net Assunto: Re: [Snort-users] RES: Snort - http_inspect OK...what is your HTTP_INSPECT settings...and what version of Snort are you running? Thanks, Matt On Fri, Jul 17, 2009 at 7:47 AM, Hugo Leonardo Ferrer Rebello<Hugo.Rebello () t-systems com br> wrote:
I got it from my monitoring server. -----Mensagem original----- De: Matt Olney [mailto:molney () sourcefire com] Enviada em: sexta-feira, 17 de julho de 2009 04:57 Para: Nerijus Krukauskas Cc: snort-users () lists sourceforge net Assunto: Re: [Snort-users] RES: Snort - http_inspect What kind of awesomeness did you do to get an http_inspect directory traversal alert on UDP 161 traffic? Or am I missing something? Matt On Fri, Jul 17, 2009 at 1:38 AM, Nerijus Krukauskas<nkrukauskas () gmail com> wrote:On 2009-07-16, Hugo Leonardo Ferrer Rebello <Hugo.Rebello () t-systems com br> wrote:Could you help to understand gen_id and sig_id from suppress sintaxe?I created the rules below, but it's not working. suppress gen_id 119, sig_id 16, track by_src, ip 10.58.xxx.xxxhttp_inspect is NOT gen_id 1. From the doc/README.http_inspect: "HTTP Inspect used generator ID 119 and 120." RTFM! :) Oh, and http://www.joelesler.net/finshake/The_Snort_Drinking_Game.html. :) -- http://nk99.org/
------------------------------------------------------------------------
------Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limitedtime,vendors submitting new applications to BlackBerry App World(TM) willhavethe opportunity to enter the BlackBerry Developer Challenge. See fullprizedetails at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------
------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited
time,
vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RES: Snort - http_inspect, (continued)
- RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)
- Re: Snort - http_inspect JJ Cummings (Jul 16)
- RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)
- RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)
- Re: RES: Snort - http_inspect Nerijus Krukauskas (Jul 16)
- Re: RES: Snort - http_inspect Matt Olney (Jul 17)
- Re: RES: Snort - http_inspect Nerijus Krukauskas (Jul 17)
- Re: RES: Snort - http_inspect Matt Olney (Jul 17)
- RES: RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 17)
- Re: RES: Snort - http_inspect Matt Olney (Jul 17)
- RES: RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 17)
- RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)