Re: v2.3 http_inspect help/issue?

[marc norton <marc.norton () sourcefire com>]

The way to handles this is to not use a profile, but instead enable just 
the features you want for the server.  The documentation readme defines 
the attributes defined for each server, and what is available to create 
a ciustom server.

Rich Adamson wrote:
> Issue is with win32 Snort_230_Build10_Installer.exe pulled Saturday,
> but probably applies to nix versions as well. It installs just fine. 
> (FWIW, been using win32 snort since about the v1.8 days.)
>
> In snort.conf, adding the "double_decode no" as in:
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 double_decode no
>
> causes the following startup error:
>
> ERROR: E:\snort-v2-3\etc\snort.conf(308) => Invalid token while configuring the
> profile token.  The only allowed tokens when configuring profiles are: 'ports',
> 'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l
> ength', and 'inspect_uri_only'.
> Fatal Error, Quitting..
>
> Removing the double_decode parameter allows snort to start and function
> in a very normal manner.
>
> If I uncomment the ten-line example for http_inspect where the parameters
> are applied to a "specific server", then the double_decode parameter
> is accepted and snort runs fine.
>
> It would seem like the double_decode parameter should be usable in the
> default http_inspect statement as shown above. The logic in that thought
> is essentially one of... the default startup parameter for this causes
> a fair amount of noise when HOME_NET users visit EXTERNAL_NET web 
> servers.
>
> Previous postings have suggested the above preprocessor statement is needed
> to normalize http traffic for certain rules. If that is true, then how
> does one eliminate the many false positives associated with double
> decodes if the parameter can't be applied to the default statement?
>
> FWIW, several of the parameters shown in the snort.conf example are
> _not_ acceptable in the above preprocessor statement, and cause snort
> to exit with the above error message. Is this really the expected
> behavior? (Perhaps my understanding of the preprocessor is not 
> correct however.)
>
> If I use the reverse logic for the preprocessor, it would suggest one
> or more of the following:
> a) the "server default" preprocessor line can never be used when
>    snort is monitoring internet gateway traffic (both incoming and
>    user outgoing http sessions), as it generates lots of false positives
>    for HOME-NET to EXTERNAL_NET traffic (eg, external web servers)
>    and there doesn't appear to be any way to manage those alerts.
> b) if snort is monitoring internet gateway traffic and there are many
>    internal web servers accessible from the internet, one would have
>    to define a http_inspect section for "each" server, since it does
>    not accept "server 1.2.3.0/24" logic.
> c) the preprocessor does not accept variables (such as HTTP_SERVERS
>    and HTTP_PORTS), therefore one http_inspect section has to be
>    defined for "each" internal http server. Seems like a waste
>    when one section could be applied to all internal http servers.
> d) since the http_inspect preprocessor was apparently written to 
>    help protect/identify issues with company-owned web servers
>    (not external_net servers), the README_http_inspect text should
>    probably address the above issues in a little bit more detail,
>    and specifically talk about the "server default" statement.
>
> Am I way off base or misunderstanding the preprocessor?
>
> Rich

--
Marc Norton   Snort Team Lead
410-423-1924  mnorton () sourcefire com
www.snort.org www.sourcefire.com


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users