Snort mailing list archives
Re: http_inspect_server syntax error ?
From: Research <research () nativemethods com>
Date: Sun, 1 Mar 2015 14:02:53 -0500
On Mar 1, 2015, at 1:34 PM, Y M <snort () outlook com> wrote:
I think you still need to specify a "default" http_inspect policy (correct me if I am wrong), although I could not find a reference to support that in the documentation (again, correct me if I am wrong). For example, the below works: preprocessor http_inspect_server: server default profile apache ports { 80 } preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 }From: research () nativemethods com Date: Sun, 1 Mar 2015 12:25:03 -0500 To: snort-users () lists sourceforge net Subject: [Snort-users] http_inspect_server syntax error ? Hi, I am currently trying to configure the: http_inspect_server preprocessor options. As a minimalist approach, I have: preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 } I am aiming to have the options: server 1.2.3.4 My web server IP address profile apache My web server is Apache ports { 80 } …running HTTP on port 80 However, when I attempt to launch Snort, I receive the following error: Verifying Preprocessor Configurations! HttpInspectConfigCheck() default server configuration not specified Fatal Error, Quitting.. …which seems to apply it wants a profile of default. What am I doing wrong ? Thanks
I agree. If I put the following: # HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default profile apache ports { 80 } preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 } …then I have success! Snort is happy and runs. However, I’d like to customize some of the parameters. If I insert what you mentioned and then try and set some specific settings via the defaults in snort.conf, I get errors. So if I have: # HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default profile apache ports { 80 } preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 } \ chunk_length 500000 \ server_flow_depth 0 \ (snip)... …it seems that it does not like the options I am editing which were in the original snort.conf file (i.e. I haven’t added any options, just changing some from “no” to “yes”, etc.). My hypothesis is that I can’t change some settings when the profile is Apache and the snort.conf parser is halting on that. Is that correct ? Thanks for your help
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_inspect_server syntax error ? Research (Mar 01)
- Re: http_inspect_server syntax error ? Y M (Mar 01)
- Re: http_inspect_server syntax error ? Research (Mar 01)
- Re: http_inspect_server syntax error ? Y M (Mar 01)