Snort mailing list archives

Re: Problems with multipleconfigs.

From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Fri, 11 Mar 2011 13:34:22 -0500

On Fri, Mar 11, 2011 at 12:34 PM, carlopmart <carlopmart () gmail com> wrote:

On 03/11/2011 06:13 PM, Bhagya Bantwal wrote:

Http Inspect needs to be enabled when using http content modifiers such
as http_method, http_header, http_uri etc. It looks like you have rules
with http content modifiers in your all.rules.

You dont have to turn them on in all configs. Just turn them on in the
config which includes the rule with http modifiers (In your case the
config which includes all.rules).

Without http inspect the HTTP headers, uri etc are not be extracted and
hence the error.

-B


Thanks Bhagya for your response. I have turn on only on the secondary
snort configuration, but if doesn't exists an entry about http instpect
on snort.conf, snort doesn't starts. I have not activated any rule in
the main configuration file. Only on the secondaries config files.


What is your http config?

If you are using the http config variables such as compress_depth  and
decompress_depth you need to specify these in your base conf ( snort.conf in
your case).

-B



--
CL Martinez
carlopmart {at} gmail {d0t} com


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problems with multipleconfigs. carlopmart (Mar 10)
- Re: Problems with multipleconfigs. carlopmart (Mar 10)
  - Re: Problems with multipleconfigs. carlopmart (Mar 10)
    - Re: Problems with multipleconfigs. carlopmart (Mar 11)
    - Re: Problems with multipleconfigs. Bhagya Bantwal (Mar 11)
    - Re: Problems with multipleconfigs. carlopmart (Mar 11)
    - Re: Problems with multipleconfigs. Bhagya Bantwal (Mar 11)
    - Re: Problems with multipleconfigs. carlopmart (Mar 11)
    - Re: Problems with multipleconfigs. Bhagya Bantwal (Mar 11)
    - Re: Problems with multipleconfigs. carlopmart (Mar 12)