Snort mailing list archives

Re: HTTP Inspect with only a GET request.

From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 22 May 2013 14:20:30 -0400

On Wed, May 22, 2013 at 2:09 PM, James Lay <digitalx00 () gmail com> wrote:


On May 22, 2013, at 12:03 PM, Joel Esler <jesler () sourcefire com> wrote:

On May 22, 2013, at 1:08 PM, Russ Combs <rcombs () sourcefire com> wrote:

On Wed, May 22, 2013 at 11:27 AM, Shawn Lee <dashawn () gmail com> wrote:

Thanks for the input. That works great on static files. Is there a way to
have this work with snort listening to an interface in IDS mode?


Presently, not without the ACK.


To clarify, this will work if you use "preprocessor normalize_tcp: ips"
directive in your snort.conf.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


Will this work even if you're not running IPS mode?  I've always wondered to
leave the IPS mode jazz in my config or not..thanks Joel.


No, which is why I said, in IDS mode, you need the ack.

But you can leave the IPS setting in your conf.  It will be give a
warning and otherwise be ignored in passive mode:

"WARNING: tcp normalizations disabled because not inline."


James


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

HTTP Inspect with only a GET request. Shawn Lee (May 21)
- Re: HTTP Inspect with only a GET request. Russ Combs (May 22)
  - Re: HTTP Inspect with only a GET request. Shawn Lee (May 22)
    - Re: HTTP Inspect with only a GET request. Russ Combs (May 22)
    - Re: HTTP Inspect with only a GET request. Joel Esler (May 22)
    - Re: HTTP Inspect with only a GET request. James Lay (May 22)
    - Re: HTTP Inspect with only a GET request. Russ Combs (May 22)
    - Re: HTTP Inspect with only a GET request. Joel Esler (May 22)