Snort mailing list archives
HTTP inspect problem
From: redwookie () gmail com
Date: Tue, 01 Dec 2009 19:59:59 +0000
Hey all - relative noob issue, but I cannot locate an answer anywhere else. Been fighting with issues in the snort.conf file, and I cannot get past it. Working with Snort 2.8.5.1 on Win2003 with IDScenter 1.1 rc4. Error is "Must configure the HTTP inspect global configuration first." Here's the relevant section from my snort.conf file: preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy windows timeout 180 preprocessor stream5_global: track_tcp yes, max_tcp 8192, track_udp no preprocessor stream5_tcp: policy windows, use_static_footprint_sizes #preprocessor stream5_udp: ignore_any_rulespreprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map 1252
preprocessor http_inspect_server: \
preprocessor ftp_telnet: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor SMTP: \
preprocessor ssh: server_ports { 22 } \
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702
7900 7901
7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916
7917
7918 7919 7920 }, trustservers, noinspect_encrypted
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
preprocessor dns: ports { 53 } enable_rdata_overflow
Seems to me that the http_inspect: global is indeed set. I even modified
the default from the latest rules
to have the full path to the unicode map, and it shows that when the code
runs, but stops at the next section.
I was having this issue with Stream5, but I took out a comma and a slash
and it started working past that.
(What are the rules for using the commas and the slashes?) Thanks in advance for any help. Redd
------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP inspect problem redwookie (Dec 01)
- Re: HTTP inspect problem Nigel Houghton (Dec 01)