Snort mailing list archives
RE: Problems with snort-2.1.0
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 14 Jan 2004 13:25:46 -0600
-----Original Message----- From: Daniel J. Roelker [mailto:droelker () sourcefire com] Sent: Wednesday, January 14, 2004 1:05 PM To: Schmehl, Paul L Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Problems with snort-2.1.0 http_decode alerts didn't take into account the HTTP_SERVERS variable either.
OK. I didn't realize that. I thought the purpose of those preprocessors was to normalize the http traffic before the traffic was compared against the rules. I didn't realize they were normalizing *all* http traffic!
On a side note, there's a big difference between the old http_decode and http_inspect. If you want to find out about more about the differences you can check out the paper "HTTP IDS Evasions Revisited" at www.idsresearch.org. It explains the different types of evasions that http_inspect looks for and normalizes.
Thanks for the pointer. I will read it. :-)
I do have a question though. Can you disable a defaultflag by using"flag_name no"?It's at the end of README.http_inspect and starts like this : -- Profile Breakout -- There are three profiles that users can select. Only the configuration that are listed under the profiles are turned on. If there is no mention of alert on or off, then that means there is no alert associated with the configuration. As to your other question, you can't turn off individual flags in a profile. But you are definitely encouraged to create your own profiles and several users have done this on the mailing list. I'm hoping that some users may want to create profiles for more web servers than the three provided that we've provided. I'd be more than happy to add any submitted server profiles that users make into an http_inspect configuration. So if anyone feels like helping . . . :)
OK. Is it possible to use thresholding to limit the number of alerts that http_inspect generates? I'm getting so many non_rfc_char alerts that the preprocessor is basically unusable in my scenario, even while using no_alerts. (I only have one snort box, so I can't separate web traffice from other traffic by using a separate instance.) BTW, I *do* appreciate all the work that's done to make snort such a useful program. Without it, we would have no IDS at all, because we simply can't afford to buy commercial units. With snort we have top notch protection. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with snort-2.1.0 Schmehl, Paul L (Jan 12)
- <Possible follow-ups>
- RE: Problems with snort-2.1.0 Daniel J. Roelker (Jan 14)
- RE: Problems with snort-2.1.0 Andreas Östling (Jan 14)
- RE: Problems with snort-2.1.0 Daniel J. Roelker (Jan 15)
- Latest Snort 2.1.x on Solaris 8, Can anyone confirm please? Snortty (Mar 19)
- RE: Problems with snort-2.1.0 Andreas Östling (Jan 14)
- RE: Problems with snort-2.1.0 Schmehl, Paul L (Jan 14)
- RE: Problems with snort-2.1.0 DM (Jan 14)