Snort mailing list archives

RE: Lots of http_inspect alerts - configuration hints?

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Wed, 28 Sep 2005 13:10:34 -0400

You can enable threshold.conf in your snort.conf and then use threshold
to stop getting these alerts, such as:
suppress gen_id 119, sig_id 2            #  http_inspect: DOUBLE
DECODING ATTACK
 
Bruce

  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Dahlmann,
Stephan
Sent: Wednesday, September 28, 2005 4:26 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Lots of http_inspect alerts - configuration
hints?



Hi all, 

i am running an IDS with two sensors inside in our DMZ. One Sensor is
for LAN -> DMZ (Internet), one for DMZ -> LAN. 
There are 3 squids running in our network (3 locations with one network)
and 2 IIS Web Servers. 

Snort is installed from Debian Sarge package, version 2.3.1. Rules are
the standard rules, not all enabled... 

The thing is: especially the proxies are generating lots of alerts,
mostly 
(http_inspect) BARE BYTE UNICODE ENCODING 
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY 
(http_inspect) OVERSIZE CHUNK ENCODING 
and some more. 

I figured out that there are several possibilities to configure or
disable http_inspect preprocessor, but some just don't work... 

Here is an extract from my snort.conf.eth1 which is LAN -> DMZ 

------ 

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500 


# IIS webserver inspect rule 
preprocessor http_inspect_server: server 10.0.0.80 ports { 80 81 }
bare_byte no oversize_dir_length 600 

# proxy-2 rule 
preprocessor http_inspect_server: server 10.0.0.90 ports { 8080 }
bare_byte no 

# proxy 3 rule 
preprocessor http_inspect_server: server  10.0.0.70 ports { 80 8080 }
bare_byte no oversize_dir_length 600 

# MS ISA server which will replace all three squids 
preprocessor http_inspect_server: server 10.0.0.100 ports { 8080 }
bare_byte no oversize_dir_length 800 

----- 

As you see i already set the oversize_dir_length to 600! But still
getting alerts... 

I suppose it's hard to say if i misconfigured something cause u don't
know my network, but some hints or 
explanations to the meaning and occasion of the alerts would be great...


thanks in advance, 
stephan

Current thread:

Lots of http_inspect alerts - configuration hints? Dahlmann, Stephan (Sep 28)
- <Possible follow-ups>
- RE: Lots of http_inspect alerts - configuration hints? Briggs, Bruce (Sep 28)