Snort mailing list archives
RE: Having http_inspect problems, can't turn options off
From: "Kenneth Trimmmer" <kenneth.trimmer () parkvale com>
Date: Fri, 6 Aug 2004 15:33:22 -0400
I have recently experienced similar problems and this is what I have done to fix it. I turned off alerting because of the over abundance of False Positives. I believe that the false positives are in response to the SRC IP Address has a high port number. I Believe that the http_inspect preprocessor is monitor for HTTP traffic on ports other that 80 and that when it sends off the alert. I do believe that the folks at sourcefire know this and are working on a fix. So in the mean time here is my preprocessor line. preprocessor http_inspect_server: server default \ profile all ports { 80 } oversize_dir_length 500 no_alerts preprocessor http_inspect_server: server 172.25.1.28 \ profile apache ports { 80 } no_alerts It looks like you need the no_alerts on the default preprocesser as well as the additional preprocessors. This should not be to much of a risk because the http_inspect will continue to do the normalization behind the scenes and alert on anything that matches a rule. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chris Schock Sent: Friday, August 06, 2004 12:34 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Having http_inspect problems, can't turn options off I am using Snort 2.2 RC1 Here is my http_inspect config in snort.conf" ================ preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 \ proxy_alert preprocessor http_inspect_server: server xxx.xxx.158.212 bare_byte no preprocessor http_inspect_server: server xxx.xxx.158.213 no_alerts preprocessor http_inspect_server: server default \ profile all ports { 80 8080 } oversize_dir_length 500 ================ My problem is that I am still getting lots and lots of "BARE BYTE UNICODE ENCODING" alerts for both servers, despite trying to suppress that specific alert for one, and turning alerting completely off for the other. I tried turning it off globally as well, but whenever I try that snort complains that there is a configuration problem. What am I doing wrong? ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Having http_inspect problems, can't turn options off Chris Schock (Aug 06)
- Re: Having http_inspect problems, can't turn options off Jeremy Hewlett (Aug 06)
- RE: Having http_inspect problems, can't turn options off Kenneth Trimmmer (Aug 06)