Snort mailing list archives
Re: Ok, Ok - I know - http_inspect
From: Snortty <cwcwcwg () yahoo com>
Date: Fri, 18 Jun 2004 06:04:34 -0700 (PDT)
All, I have set up to enable inspect_uri_only: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 inspect_uri_only and when I run snort, it did show: Only inspect URI: YES but I still have hundreds of http_inspect alerts in short period of time, like the kinds: [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**] Can someone shed some lights on it please? Thanks Sw. --- sekure <sekure () gmail com> wrote:
You are missing a slash after your unicode statement. All http_inspect config options want to be part of the same line, the \ escapes the carriage return. Try this: preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 \ <--- Notice that slash inspect_uri_only On Thu, 17 Jun 2004 12:00:52 -0700 (PDT), Snortty <cwcwcwg () yahoo com> wrote:It's true that one can not specify a subnet, butsingeIP or global. But, I want to use inspect_uri_only enabled forALLhttp_inspect alerts, can only make it work if Ienteran IP address to replace default sever 1.1.1.1. It won't work if I put it like (in snort.conf): preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 inspect_uri_only snort won't run, and detect error due to thisline.Can anyone tell me how to enable this inspect_uri_only for ALL http_inspect alerts (so no such alertswill belogged except uricontent inspection please? THANK YOU! Sty --- SN ORT <snort_on_acid () yahoo com> wrote:I don't believe you will be able to specify a subnet. I tried that awhile ago and couldn't get it towork.It's either global or server-specific. Cheese! Marc --__--__-- Message: 1 Wrom: WFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRESKPNK <Krisa.W.Rowland () erdc usace army mil> To: "'Snort-users () lists sourceforge net'" <Snort-users () lists sourceforge net> Date: Wed, 16 Jun 2004 10:53:56 -0500 Subject: [Snort-users] Ok, Ok - I know - http_inspect This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may notbelegible. ------_=_NextPart_001_01C453BA.219029D8 Content-Type: text/plain I know I'm going to get slaughtered for even bringing up the subject of http_inspect. I've read through the old posts,andalso read through the manual. I'm hoping that someone can offer clarification or guidance on this, though. I do not want to disable thisoption- but at the moment I'm going to have to - just pouring out too manyalerts.I tried to limit these alerts to only my webfarm subnet by doing this: preprocessor http_inspect_server: serverx.x.x.0/8 \profile all ports { 80 8080 8180 } oversize_dir_length 500 But it didn't like that. I'd just like torestrictthese alerts to one subnet - how do I do that? Shouldn't I use the all profile if I'm prettysurethat I have apache and IIS servers? Krisa Rowland <snip>__________________________________________________Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the MosconeCenterin San Francisco, CA REGISTER AND SAVE!http://java.sun.com/javaone/sfPriority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. Wefinish.http://promotions.yahoo.com/new_mail
-------------------------------------------------------
This SF.Net email is sponsored by The 2004JavaOne(SM) ConferenceLearn from the experts at JavaOne(SM), Sun'sWorldwide Java DeveloperConference, June 28 - July 1 at the Moscone Centerin San Francisco, CAREGISTER AND SAVE! http://java.sun.com/javaone/sfPriority Code NWMGYKND_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- <Possible follow-ups>
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect SN ORT (Jun 18)
- Re: Ok, Ok - I know - http_inspect Chris Keladis (Jun 18)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect Jeff Kell (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 17)