Re: Is it dangerous to tweak http_inspect defaults

[Joel Esler <jesler () sourcefire com>]

What we call our "current" snort.conf is the .conf that is shipped in the VRT rules download tarball in the etc/ 
directory.  It contains our current configuration that we test and write our rules against and also what we expect 
environments, for the most part, be configured like.    This Snort.conf is synced before "release" of a Snort version 
(so the version that is shipped in Snort 2.9.1.1's etc/ directory is the configuration that was current at that time.

When the configuration changes I post them on http://blog.snort.org.

All Snort configurations require tuning for their environment (memory, rules enabled, locations, var's, etc), however 
the detection options should be enabled in order to provide full coverage and utilize the full features of Snort.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Oct 12, 2011, at 12:29 PM, Mike Lococo wrote:

> Hi Folks,
>
> I'm doing a periodic review of my snort.conf config against what is 
> included in the current tarball and noticing that there are a number of 
> seemingly useful http_inspect options that aren't enabled by default. 
> I'm looking at normalize_cookies, normalize_headers, and normalize_utf 
> in particular.
>
> I understand that turning these on might have some performance impact, 
> and am comfortable measuring that.  What I'm less clear on is whether 
> enabling these options will adversely effect any rule-logic.  In 
> particular, I'm thinking of effects like those described in [1] where 
> data is removed from a buffer where it used to be present (like 
> http_header) and put *instead* into a new buffer (like http_cookie) that 
> may or may not be checked.  Another potential negative effect I can 
> imagine is where rules are actually coded to look for content that gets 
> normalized out (for example, look for a URI with many consecutive 
> slashes in it).
>
> Is the VRT config a best practice that one deviates from only with good 
> reason and much testing, or does it represent a minimum bar where it's 
> likely to be worth enabling additional normalization if you have the CPU 
> cycles for it?
>
> [1] http://trojanedbinaries.com/blog/?p=212

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!