RE: Problems with snort-2.1.0

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Daniel J. Roelker [mailto:droelker () sourcefire com] 
> Sent: Wednesday, January 14, 2004 1:05 PM
> To: Schmehl, Paul L
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Problems with snort-2.1.0
>
> http_decode alerts didn't take into account the HTTP_SERVERS 
> variable either.  
OK.  I didn't realize that.  I thought the purpose of those
preprocessors was to normalize the http traffic before the traffic was
compared against the rules.  I didn't realize they were normalizing
*all* http traffic!
 
> On a side note, there's a big difference between the old 
> http_decode and http_inspect.  If you want to find out about 
> more about the differences you can check out the paper "HTTP 
> IDS Evasions Revisited" at www.idsresearch.org.  It explains 
> the different types of evasions that http_inspect looks for 
> and normalizes.
Thanks for the pointer.  I will read it. :-)
> > I do have a question though.  Can you disable a default 
> flag by using 
> > "flag_name no"?
>
> It's at the end of README.http_inspect and starts like this :
>
> -- Profile Breakout --
> There are three profiles that users can select.  Only the 
> configuration that are listed under the profiles are turned 
> on.  If there is no mention of alert on or off, then that 
> means there is no alert associated with the configuration.
>
> As to your other question, you can't turn off individual 
> flags in a profile.  But you are definitely encouraged to 
> create your own profiles and several users have done this on 
> the mailing list.  I'm hoping that some users may want to 
> create profiles for more web servers than the three provided 
> that we've provided.  I'd be more than happy to add any 
> submitted server profiles that users make into an 
> http_inspect configuration.  So if anyone feels like helping . . . :)

OK.  Is it possible to use thresholding to limit the number of alerts
that http_inspect generates?  I'm getting so many non_rfc_char alerts
that the preprocessor is basically unusable in my scenario, even while
using no_alerts.  (I only have one snort box, so I can't separate web
traffice from other traffic by using a separate instance.)

BTW, I *do* appreciate all the work that's done to make snort such a
useful program.  Without it, we would have no IDS at all, because we
simply can't afford to buy commercial units.  With snort we have top
notch protection.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users