Re: http_inspect_server syntax error ?

[Research <research () nativemethods com>]

On Mar 1, 2015, at 1:34 PM, Y M <snort () outlook com> wrote:

> I think you still need to specify a "default" http_inspect policy (correct me if I am wrong), although I could not 
> find a reference to support that in the documentation (again, correct me if I am wrong). For example, the below works:
>
> preprocessor http_inspect_server: server default profile apache ports { 80 }
> preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 }
>
> > From: research () nativemethods com
> > Date: Sun, 1 Mar 2015 12:25:03 -0500
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] http_inspect_server syntax error ?
> >
> > Hi,
> >
> > I am currently trying to configure the: http_inspect_server preprocessor options.
> >
> > As a minimalist approach, I have:
> >
> > preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 }
> >
> > I am aiming to have the options:
> >
> > server 1.2.3.4       My web server IP address
> > profile apache       My web server is Apache
> > ports { 80 } …running HTTP on port 80
> >
> > However, when I attempt to launch Snort, I receive the following error:
> >
> > Verifying Preprocessor Configurations!
> > HttpInspectConfigCheck() default server configuration not specified
> > Fatal Error, Quitting..
> >
> > …which seems to apply it wants a profile of default.
> >
> > What am I doing wrong ?
> >
> > Thanks

I agree.  If I put the following:
        
        # HTTP normalization and anomaly detection.  For more information, see README.http_inspect
        preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
        preprocessor http_inspect_server: server default profile apache ports { 80 }
        preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 }

…then I have success!  Snort is happy and runs.

However, I’d like to customize some of the parameters.  If I insert what you mentioned and then try and set some 
specific settings via the defaults in snort.conf, I get errors.

So if I have:

        # HTTP normalization and anomaly detection.  For more information, see README.http_inspect
        preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
        preprocessor http_inspect_server: server default profile apache ports { 80 }
        preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 } \
        chunk_length 500000 \
        server_flow_depth 0 \

        (snip)...

…it seems that it does not like the options I am editing which were in the original snort.conf file (i.e. I haven’t 
added any options, just changing some from “no” to “yes”, etc.).

My hypothesis is that I can’t change some settings when the profile is Apache and the snort.conf parser is halting on 
that.  Is that correct ?

Thanks for your help


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!