RE: [Snort-users] Ok, Ok - I know - http_inspect
This is a discussion on RE: [Snort-users] Ok, Ok - I know - http_inspect within the Snort forums, part of the System Security and Security Related category; This message is in MIME format. Since your mail reader does not understand this format, some or all of this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-16-2004
|
|||
|
|||
RE: [Snort-users] Ok, Ok - I know - http_inspect
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible. ------_=_NextPart_001_01C453D1.8FC62CBA Content-Type: text/plain I get this error: ERROR: /export/home/krowland/snort-2.1.3/etc/snort.conf(288) => Invalid IP to 'server' token. I guess you can't do a subnet - on a single server... _____ From: Jeff Dell [mailto:jdell@activeworx.com] Sent: Wednesday, June 16, 2004 11:15 AM To: 'Rowland, Krisa W ERDC-ITL-MS Contractor'; Snort-users@lists.sourceforge.net Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect It sounds like you want to only limit it to a single class C? and not a Class A? If this is the case you would want to change the subnet mask to /24 Cheers, Jeff _____ From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Rowland, Krisa W ERDC-ITL-MS Contractor Sent: Wednesday, June 16, 2004 11:54 AM To: 'Snort-users@lists.sourceforge.net' Subject: [Snort-users] Ok, Ok - I know - http_inspect I know I'm going to get slaughtered for even bringing up the subject of http_inspect. I've read through the old posts, and also read through the manual. I'm hoping that someone can offer clarification or guidance on this, though. I do not want to disable this option - but at the moment I'm going to have to - just pouring out too many alerts. I tried to limit these alerts to only my webfarm subnet by doing this: preprocessor http_inspect_server: server x.x.x.0/8 \ profile all ports { 80 8080 8180 } oversize_dir_length 500 But it didn't like that. I'd just like to restrict these alerts to one subnet - how do I do that? Shouldn't I use the all profile if I'm pretty sure that I have apache and IIS servers? Krisa Rowland ERDC Information Assurance Team (SAIC Contractor) 3909 Halls Ferry Rd., Bldg. 8000 Vicksburg, MS 39180 601-634-2493 krisa.w.rowland@erdc.usace.army.mil ------_=_NextPart_001_01C453D1.8FC62CBA Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII"> <TITLE>Ok, Ok - I know - http_inspect</TITLE> <META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD> <BODY> <DIV dir=ltr align=left><SPAN class=937314518-16062004><FONT face=Arial color=#0000ff size=2>I get this error:</FONT></SPAN></DIV> <DIV dir=ltr align=left><SPAN class=937314518-16062004><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV dir=ltr align=left><SPAN class=937314518-16062004><FONT face=Arial color=#0000ff size=2>ERROR: /export/home/krowland/snort-2.1.3/etc/snort.conf(288) => Invalid IP to 'server' token.<BR></FONT></SPAN></DIV> <DIV dir=ltr align=left><SPAN class=937314518-16062004><FONT face=Arial color=#0000ff size=2>I guess you can't do a subnet - on a single server...</FONT></SPAN></DIV><BR> <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left> <HR tabIndex=-1> <FONT face=Tahoma size=2><B>From:</B> Jeff Dell [mailto:jdell@activeworx.com] <BR><B>Sent:</B> Wednesday, June 16, 2004 11:15 AM<BR><B>To:</B> 'Rowland, Krisa W ERDC-ITL-MS Contractor'; Snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] Ok, Ok - I know - http_inspect<BR></FONT><BR></DIV> <DIV></DIV> <DIV dir=ltr align=left><SPAN class=811251316-16062004><FONT face=Arial color=#0000ff size=2>It sounds like you want to only limit it to a single class C? and not a Class A? If this is the case you would want to change the subnet mask to /24</FONT></SPAN></DIV> <DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV> <DIV><SPAN class=811251316-16062004><FONT face=Arial color=#0000ff size=2>Cheers,</FONT></SPAN></DIV> <DIV><SPAN class=811251316-16062004><FONT face=Arial color=#0000ff size=2>Jeff</FONT></SPAN></DIV> <DIV><BR></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left> <HR tabIndex=-1> <FONT face=Tahoma size=2><B>From:</B> snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of </B>Rowland, Krisa W ERDC-ITL-MS Contractor<BR><B>Sent:</B> Wednesday, June 16, 2004 11:54 AM<BR><B>To:</B> 'Snort-users@lists.sourceforge.net'<BR><B>Subject:</B> [Snort-users] Ok, Ok - I know - http_inspect<BR></FONT><BR></DIV> <DIV></DIV> <P><FONT face=Arial size=2>I know I'm going to get slaughtered for even bringing up the subject of http_inspect. I've read through the old posts, and also read through the manual. I'm hoping that someone can offer clarification or guidance on this, though. I do not want to disable this option - but at the moment I'm going to have to - just pouring out too many alerts. </FONT></P> <P><FONT face=Arial size=2>I tried to limit these alerts to only my webfarm subnet by doing this:</FONT> </P> <P><FONT face=Arial size=2>preprocessor http_inspect_server: server x.x.x.0/8 \</FONT> <BR><FONT face=Arial size=2> profile all ports { 80 8080 8180 } oversize_dir_length 500</FONT> </P> <P><FONT face=Arial size=2>But it didn't like that. I'd just like to restrict these alerts to one subnet - how do I do that? </FONT></P> <P><FONT face=Arial size=2>Shouldn't I use the all profile if I'm pretty sure that I have apache and IIS servers? </FONT></P> <P><FONT face="Book Antiqua" size=4>Krisa Rowland</FONT> <BR><FONT face="Book Antiqua" size=2>ERDC Information Assurance Team</FONT> <BR><FONT face="Book Antiqua" size=2>(SAIC Contractor)</FONT> <BR><FONT face="Book Antiqua" size=2>3909 Halls Ferry Rd., Bldg. 8000</FONT> <BR><FONT face="Book Antiqua" size=2>Vicksburg, MS 39180</FONT> <BR><FONT face="Book Antiqua" size=2>601-634-2493</FONT> <BR><FONT face="Book Antiqua" size=2>krisa.w.rowland@erdc.usace.army.mil</FONT> </P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C453D1.8FC62CBA-- ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
