Re: HTTP inspect problem

[Nigel Houghton <nhoughton () sourcefire com>]

On Tue, Dec 1, 2009 at 2:59 PM,  <redwookie () gmail com> wrote:
> Hey all - relative noob issue, but I cannot locate an answer anywhere else.
> Been fighting with issues in the snort.conf file, and I cannot get past it.
> Working with Snort 2.8.5.1 on Win2003 with IDScenter 1.1 rc4.
> Error is "Must configure the HTTP inspect global configuration first."
>
> Here's the relevant section from my snort.conf file:
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy windows timeout 180
> preprocessor stream5_global: track_tcp yes, max_tcp 8192, track_udp no
> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes
> #preprocessor stream5_udp: ignore_any_rules
> preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map
> 1252
> preprocessor http_inspect_server: \
> preprocessor ftp_telnet: \
> preprocessor ftp_telnet_protocol: \
> preprocessor ftp_telnet_protocol: \
> preprocessor ftp_telnet_protocol: \
> preprocessor SMTP: \
> preprocessor ssh: server_ports { 22 } \
> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900
> 7901
> 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916
> 7917
> 7918 7919 7920 }, trustservers, noinspect_encrypted
> preprocessor dcerpc2: memcap 102400, events [co ]
> preprocessor dcerpc2_server: default, policy WinXP, \
> preprocessor dns: ports { 53 } enable_rdata_overflow
>
> Seems to me that the http_inspect: global is indeed set. I even modified the
> default from the latest rules
> to have the full path to the unicode map, and it shows that when the code
> runs, but stops at the next section.
> I was having this issue with Stream5, but I took out a comma and a slash and
> it started working past that.
> (What are the rules for using the commas and the slashes?)
> Thanks in advance for any help.
> Redd
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


The snort.conf looks a little weird. Not sure if those "c:\" windows
paths cause problems with parsing since "\" is used to escape line
endings for multiple lines in the config. I don't use Windows at all,
so I have no testbed to help out here.

Also, on a related note, the "\" in the rest of the snippet are
escaping line endings when they aren't needed. Did you try editing the
file by hand, i.e. constructing it yourself from the default
snort.conf in the Snort tarball?

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users