Snort mailing list archives

RE: Ok, Ok - I know - http_inspect

From: "Koski, Brian" <bkoski () citrusheights net>
Date: Wed, 16 Jun 2004 13:20:25 -0700

Do you have a lot of servers? Seems you may need to define each one; yes
profile all would work (apache, IIS)
 
i.e.:
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server 172.16.1.11 profile all ports {
80 443 }
preprocessor http_inspect_server: server 172.16.1.12 profile all ports {
80 8080 }
etc...
 

        -----Original Message-----
        From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jeff Dell
        Sent: Wednesday, June 16, 2004 11:54 AM
        To: 'Rowland, Krisa W ERDC-ITL-MS Contractor';
Snort-users () lists sourceforge net
        Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect
        
        
        You are correct. I misread your first email when you said that
/8 didn't work, I assumed you meant it didn't limit the events. If you
look at the docs at: 
         
        
http://www.snort.org/docs/snort_manual/node17.html#SECTION00381000000000
0000000 
         
        You will see all of the options for http_inspect, maybe one of
these will help limit the alerts you are getting.
         
        Jeff


  _____  

                From: Rowland, Krisa W ERDC-ITL-MS Contractor
[mailto:Krisa.W.Rowland () erdc usace army mil] 
                Sent: Wednesday, June 16, 2004 2:44 PM
                To: 'Jeff Dell'; Rowland, Krisa W ERDC-ITL-MS
Contractor; Snort-users () lists sourceforge net
                Subject: RE: [Snort-users] Ok, Ok - I know -
http_inspect
                
                
                I get this error:
                 
                ERROR:
/export/home/krowland/snort-2.1.3/etc/snort.conf(288) => Invalid IP to
'server' token.
                
                I guess you can't do a subnet - on a single server...

  _____  

                From: Jeff Dell [mailto:jdell () activeworx com] 
                Sent: Wednesday, June 16, 2004 11:15 AM
                To: 'Rowland, Krisa W ERDC-ITL-MS Contractor';
Snort-users () lists sourceforge net
                Subject: RE: [Snort-users] Ok, Ok - I know -
http_inspect
                
                
                It sounds like you want to only limit it to a single
class C? and not a Class A? If this is the case you would want to change
the subnet mask to /24
                 
                Cheers,
                Jeff


  _____  

                        From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rowland,
Krisa W ERDC-ITL-MS Contractor
                        Sent: Wednesday, June 16, 2004 11:54 AM
                        To: 'Snort-users () lists sourceforge net'
                        Subject: [Snort-users] Ok, Ok - I know -
http_inspect
                        
                        

                        I know I'm going to get slaughtered for even
bringing up the subject of http_inspect.  I've read through the old
posts, and also read through the manual.  I'm hoping that someone can
offer clarification or guidance on this, though.  I do not want to
disable this option - but at the moment I'm going to have to - just
pouring out too many alerts.  

                        I tried to limit these alerts to only my webfarm
subnet by doing this: 

                        preprocessor http_inspect_server: server
x.x.x.0/8 \ 
                            profile all ports { 80 8080 8180 }
oversize_dir_length 500 

                        But it didn't like that.  I'd just like to
restrict these alerts to one subnet - how do I do that?  

                        Shouldn't I use the all profile if I'm pretty
sure that I have apache and IIS servers?  

                        Krisa Rowland 
                        ERDC Information Assurance Team 
                        (SAIC Contractor) 
                        3909 Halls Ferry Rd.,  Bldg. 8000 
                        Vicksburg, MS 39180 
                        601-634-2493 
                        krisa.w.rowland () erdc usace army mil

Current thread:

Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- <Possible follow-ups>
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
  - RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
  - RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
    - Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
    - Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
    - Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
    - Re: Ok, Ok - I know - http_inspect SN ORT (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Chris Keladis (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Jeff Kell (Jun 18)
    - Re: Ok, Ok - I know - http_inspect sekure (Jun 17)

(Thread continues...)