Snort mailing list archives
Re: Snort 2.1.0 - Shutting up http_inspect on non web servers
From: James Nonya <slave_tothe_box () yahoo com>
Date: Wed, 14 Jan 2004 12:46:57 -0800 (PST)
On Wed, 14 Jan 2004 14:25:10 -0600 "Schmehl, Paul L" <pauls () utdallas edu> wrote:
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]
On Behalf Of
James Nonya Sent: Wednesday, January 14, 2004 1:19 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.1.0 - Shutting
up
http_inspect on non web servers Paul, Have you tried setting it to monitor port 0 or something like that? Maybe telling http_instpect
to
monitor a little used port would work..think I'll
try
that now.I haven't, but ISTM that would defeat the purpose of
the preprocessor,
wouldn't it? I just tried enabling *only* the global
preprocessor. That resulted in
the following alerts: NON-RFC HTTP DELIMITER APACHE WHITESPACE (TAB) NON-RFCF DEFINED CHAR OVERSIZE CHUNK ENCODING Even that is too much for me. All I want the
preprocessor to do is
normalize http traffic before it's compared to the
normal web rules.
So then I tried this: preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ ports { 80 8080 } \ no_alerts And it seems to be working. At least I'm not
getting alerts from the
preprocessor itself, not even non-rfc defined char
alerts.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Paul, As I understand it: preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ ports { 0 } \ no_alerts would affect how snort handles unspecified http traffic. Adding a: preprocessor http_inspect_server: server ipaddress \ ports { 80 8080 } \ profile iis would still monitor the traffic for that server ip yes? I think I should have specified that..hehe. My goal was to stop monitoring client to external web traffic, but monitor external traffic to my web servers. Looks like your method should work fine...maybe changing to a little used port would reduce load...not sure though. Thanks! James __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 13)
- <Possible follow-ups>
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers Owen McCusker (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)