Snort mailing list archives
Re: v2.3 http_inspect help/issue?
From: marc norton <marc.norton () sourcefire com>
Date: Mon, 07 Mar 2005 10:32:53 -0500
The way to handles this is to not use a profile, but instead enable just the features you want for the server. The documentation readme defines the attributes defined for each server, and what is available to create a ciustom server.
Rich Adamson wrote:
Issue is with win32 Snort_230_Build10_Installer.exe pulled Saturday,but probably applies to nix versions as well. It installs just fine. (FWIW, been using win32 snort since about the v1.8 days.)In snort.conf, adding the "double_decode no" as in: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 double_decode no causes the following startup error: ERROR: E:\snort-v2-3\etc\snort.conf(308) => Invalid token while configuring the profile token. The only allowed tokens when configuring profiles are: 'ports', 'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l ength', and 'inspect_uri_only'. Fatal Error, Quitting.. Removing the double_decode parameter allows snort to start and function in a very normal manner. If I uncomment the ten-line example for http_inspect where the parameters are applied to a "specific server", then the double_decode parameter is accepted and snort runs fine. It would seem like the double_decode parameter should be usable in the default http_inspect statement as shown above. The logic in that thought is essentially one of... the default startup parameter for this causesa fair amount of noise when HOME_NET users visit EXTERNAL_NET web servers.Previous postings have suggested the above preprocessor statement is needed to normalize http traffic for certain rules. If that is true, then how does one eliminate the many false positives associated with double decodes if the parameter can't be applied to the default statement? FWIW, several of the parameters shown in the snort.conf example are _not_ acceptable in the above preprocessor statement, and cause snort to exit with the above error message. Is this really the expectedbehavior? (Perhaps my understanding of the preprocessor is not correct however.)If I use the reverse logic for the preprocessor, it would suggest one or more of the following: a) the "server default" preprocessor line can never be used when snort is monitoring internet gateway traffic (both incoming and user outgoing http sessions), as it generates lots of false positives for HOME-NET to EXTERNAL_NET traffic (eg, external web servers) and there doesn't appear to be any way to manage those alerts. b) if snort is monitoring internet gateway traffic and there are many internal web servers accessible from the internet, one would have to define a http_inspect section for "each" server, since it does not accept "server 1.2.3.0/24" logic. c) the preprocessor does not accept variables (such as HTTP_SERVERS and HTTP_PORTS), therefore one http_inspect section has to be defined for "each" internal http server. Seems like a waste when one section could be applied to all internal http servers.d) since the http_inspect preprocessor was apparently written to help protect/identify issues with company-owned web servers(not external_net servers), the README_http_inspect text should probably address the above issues in a little bit more detail, and specifically talk about the "server default" statement. Am I way off base or misunderstanding the preprocessor? Rich
-- Marc Norton Snort Team Lead 410-423-1924 mnorton () sourcefire com www.snort.org www.sourcefire.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- v2.3 http_inspect help/issue? Rich Adamson (Mar 06)
- Re: v2.3 http_inspect help/issue? marc norton (Mar 07)