Snort mailing list archives
RE: re: http\_inspect alerts
From: CMartin () infosol com
Date: Wed, 31 Dec 2003 14:41:24 -0700
Check out the new documentation for snort 2.1.0 and check out the new http_decoder. It will tell you about turning on and off and even customizing some of the alerts! -----Original Message----- From: adam_peterson () splwg com [mailto:adam_peterson () splwg com] Sent: Wednesday, December 31, 2003 2:17 PM To: jeff-kell () utc edu Cc: snort-users () lists sourceforge net Subject: [Snort-users] re: http\_inspect alerts i finally have 2.1.0 compiled and working on solaris 8 and now i'm catching up with you guys. i'm getting the same (http\_inspect) NON-RFC DEFINED CHAR alerts and i've tried disabling all alerts to no avail. based on the readme, adding no_alerts should disable ALL alerts and allow decoding to go on but it doesn't. does anyone have any other ideas? i'm going to fiddle for a while but since the no_alerts parameter doesn't work i think we have to find another way. i couldn't care less about http packets with null characters!!! i feel like a newbie again with the new decoders. -adam you wrote: List: snort-users Subject: Re: FW: [Snort-users] (http\_inspect) NON-RFC DEFINED CHAR From: Jeff Kell <jeff-kell () utc ! edu> Date: 2003-12-31 1:39:44 Message-ID: <3FF228E0.8070501 () utc ! edu> [Download message RAW] CMartin () infosol com wrote:
Acutally, just this morning I noticed the same thing, also there are
other
http\_inspect alerts that are showing up in my DB. I'm also looking for answers :D I'll check out the archives incase this was addressed when
snort
2.1.0 was first released
I have http\_inspect down to controllable levels after generating a non-standard (read: not profile all) definition that all of the noise collects into:
preprocessor http_inspect_server: server default \ ports { 80 8080 } \ flow_depth 300 \ ascii no \ utf_8 no \ bare_byte no \ base36 no \ iis_unicode no \ double_decode no \ non_rfc_char { 0x00 } \ multi_slash no \ iis_backslash no \ directory no \ apache_whitespace no \ iis_delimiter no \ chunk_length 64000 \ non_strict
This allows you to decode (normalize) anything remotely resembling an HTTP stream without generating (most) alerts. I then use customized server definitions for our REAL servers by IP address (some of which work just fine with either the "iis" or "apache" profiles). But fully 40% of my alerts are the NON-RFC DEFINED CHAR type and most are related to P2P traffic (not our real web servers, with an IIS exception). It appears you can't turn this alert off (other than turning all alerting off, if even that works). I've been through the ./docs/README.http_inspect. The only other annoyance has been POP3 Brute force alerts which I suspect is some users with "auto check new mail" set really short, or else there is some problem with the threshhold handler. Jeff Adam Peterson | Senior WAN Engineer | SPL WorldGroup | adam_peterson () splwg com | +1.415.357.4787 ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- re: http\_inspect alerts adam_peterson (Dec 31)
- <Possible follow-ups>
- RE: re: http\_inspect alerts CMartin (Dec 31)
- re: http\_inspect alerts adam_peterson (Dec 31)
- RE: http\_inspect alerts CMartin (Dec 31)