Snort mailing list archives
Re: Having http_inspect problems, can't turn options off]
From: Daniel Roelker <droelker () sourcefire com>
Date: 09 Aug 2004 13:43:27 -0400
Hi, Your two unique http_inspect_server configs are wrong. You need to add what ports to inspect on each of those configs. For example, preprocessor http_inspect_server: server xxx.xxx.158.212 \ ports { 80 } ascii no bare_byte no iis_unicode no double_decode no Without specifying a list of HTTP ports on a unique server profile, you'll just end up using the default profile which in your case has the bare_byte encoding turned on. So that's why you're seeing the alerts. Dan On Mon, 2004-08-09 at 13:40, Jeremy Hewlett wrote:
----- Forwarded message from Chris Schock <black () clapthreetimes com> ----- From: "Chris Schock" <black () clapthreetimes com> To: snort-users () lists sourceforge net Reply-To: black () clapthreetimes com Subject: [Snort-users] Having http_inspect problems, can't turn options off Return-Path: <snort-users-admin () lists sourceforge net> Date: Fri, 6 Aug 2004 10:33:57 -0600 (MDT) User-Agent: SquirrelMail/1.4.3a-0.f1.1 X-Mailer: SquirrelMail/1.4.3a-0.f1.1 I am using Snort 2.2 RC1 Here is my http_inspect config in snort.conf" ================ preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 \ proxy_alert preprocessor http_inspect_server: server xxx.xxx.158.212 bare_byte no preprocessor http_inspect_server: server xxx.xxx.158.213 no_alerts preprocessor http_inspect_server: server default \ profile all ports { 80 8080 } oversize_dir_length 500 ================ My problem is that I am still getting lots and lots of "BARE BYTE UNICODE ENCODING" alerts for both servers, despite trying to suppress that specific alert for one, and turning alerting completely off for the other. I tried turning it off globally as well, but whenever I try that snort complains that there is a configuration problem. What am I doing wrong? ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ----- End forwarded message -----
-- Daniel Roelker Software Developer Sourcefire, Inc. ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Having http_inspect problems, can't turn options off] Daniel Roelker (Aug 16)
- <Possible follow-ups>
- RE: Having http_inspect problems, can't turn options off] Daniel Roelker (Aug 16)