Re: Use of iis_unicode_map in HTTP Inspect on Linux IDS host

["Joel Esler (jesler)" <jesler () cisco com>]

That’s the part I was writing about.  I’d just go with apache if that’s all you are running.  


> On Feb 28, 2015, at 7:00 PM, Research <research () nativemethods com> wrote:
>
> Hi,
>
> Ok per server configuration . . . currently I have:
>
>       preprocessor http_inspect_server: server 1.2.3.4 profile all ports { 80 }
>
> I have a profile of “all” instead of “apache” because I read in the manual that “all” is:
>
>       "This is a great profile for detecting all types of attacks, regardless of the HTTP server.”
>
> …but that should be specified as “apache”, or am I referring to the wrong part of snort.conf ?
>
> Thanks
>
> On Feb 28, 2015, at 6:56 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
>
> > You don’t need to adjust that part (if I understand your question correctly), you do, however, need to have a per 
> > server apache configuration line for http_inspect
> >
> >
> > > On Feb 28, 2015, at 6:43 PM, Research <research () nativemethods com> wrote:
> > >
> > > Hi,
> > >
> > > I had a question involving an option to the global setting of the HTTP inspect pre-processor in snort 2.9.7.0.
> > >
> > > The default setting for the global settings for this pre-processor in snort.conf are:
> > >
> > >     preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
> > >
> > > I see that iis_unicode_map unicode.map 1252 refers to the unicode.map file in /etc/snort and is using codepage 
> > > 1252, but I was wondering if this is necessary if the host that Snort is running on is using Linux and Apache ?  Do 
> > > I have to adjust that accordingly ?  I am doubly unsure because I note in the PDF of the manual on page 60 the 
> > > following:
> > >
> > >     "The iis unicode map is a required configuration parameter.”
> > >
> > > …which makes me think it applies to *ANY* HTTP server.  As a consequence, I have left it as a default setting but 
> > > am wondering if it could and should be modified.
> > >
> > > Thanks
> > > ------------------------------------------------------------------------------
> > > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> > > by Intel and developed in partnership with Slashdot Media, is your hub for all
> > > things parallel software development, from weekly thought leadership blogs to
> > > news, videos, case studies, tutorials and more. Take a look and join the 
> > > conversation now. http://goparallel.sourceforge.net/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!