RE: [Snort-users] Ok, Ok - I know - http_inspect
This is a discussion on RE: [Snort-users] Ok, Ok - I know - http_inspect within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_00F7_01C453B1.D147FFD0 Content-Type: text/plain; charset="us-ascii" ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-16-2004
|
|||
|
|||
RE: [Snort-users] Ok, Ok - I know - http_inspect
This is a multi-part message in MIME format.
------=_NextPart_000_00F7_01C453B1.D147FFD0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit You are correct. I misread your first email when you said that /8 didn't work, I assumed you meant it didn't limit the events. If you look at the docs at: http://www.snort.org/docs/snort_manu...10000000000000 000 You will see all of the options for http_inspect, maybe one of these will help limit the alerts you are getting. Jeff _____ From: Rowland, Krisa W ERDC-ITL-MS Contractor [mailto:Krisa.W.Rowland@erdc.usace.army.mil] Sent: Wednesday, June 16, 2004 2:44 PM To: 'Jeff Dell'; Rowland, Krisa W ERDC-ITL-MS Contractor; Snort-users@lists.sourceforge.net Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect I get this error: ERROR: /export/home/krowland/snort-2.1.3/etc/snort.conf(288) => Invalid IP to 'server' token. I guess you can't do a subnet - on a single server... _____ From: Jeff Dell [mailto:jdell@activeworx.com] Sent: Wednesday, June 16, 2004 11:15 AM To: 'Rowland, Krisa W ERDC-ITL-MS Contractor'; Snort-users@lists.sourceforge.net Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect It sounds like you want to only limit it to a single class C? and not a Class A? If this is the case you would want to change the subnet mask to /24 Cheers, Jeff _____ From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Rowland, Krisa W ERDC-ITL-MS Contractor Sent: Wednesday, June 16, 2004 11:54 AM To: 'Snort-users@lists.sourceforge.net' Subject: [Snort-users] Ok, Ok - I know - http_inspect I know I'm going to get slaughtered for even bringing up the subject of http_inspect. I've read through the old posts, and also read through the manual. I'm hoping that someone can offer clarification or guidance on this, though. I do not want to disable this option - but at the moment I'm going to have to - just pouring out too many alerts. I tried to limit these alerts to only my webfarm subnet by doing this: preprocessor http_inspect_server: server x.x.x.0/8 \ profile all ports { 80 8080 8180 } oversize_dir_length 500 But it didn't like that. I'd just like to restrict these alerts to one subnet - how do I do that? Shouldn't I use the all profile if I'm pretty sure that I have apache and IIS servers? Krisa Rowland ERDC Information Assurance Team (SAIC Contractor) 3909 Halls Ferry Rd., Bldg. 8000 Vicksburg, MS 39180 601-634-2493 krisa.w.rowland@erdc.usace.army.mil ------=_NextPart_000_00F7_01C453B1.D147FFD0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Ok, Ok - I know - http_inspect</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>You are correct. I misread your first email = when you said=20 that /8 didn't work, I assumed you meant it didn't limit the=20 events.</FONT></SPAN><SPAN class=3D072314918-16062004><FONT face=3DArial = color=3D#0000ff size=3D2> If you look at the docs at: = </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2><A=20 href=3D"http://www.snort.org/docs/snort_manual/node17.html#SECTION0038100= 00000000000000">http://www.snort.org/docs/snort_manu...7.html#SECTIO= N003810000000000000000</A> </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>You will see all of the options for = http_inspect, maybe one=20 of these will help limit the alerts you are getting.</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>Jeff</FONT></SPAN></DIV><BR> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> Rowland, Krisa W ERDC-ITL-MS = Contractor=20 [mailto:Krisa.W.Rowland@erdc.usace.army.mil] <BR><B>Sent:</B> = Wednesday, June=20 16, 2004 2:44 PM<BR><B>To:</B> 'Jeff Dell'; Rowland, Krisa W = ERDC-ITL-MS=20 Contractor; Snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE:=20 [Snort-users] Ok, Ok - I know - http_inspect<BR></FONT><BR></DIV> <DIV></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D937314518-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I get this error:</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D937314518-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D937314518-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>ERROR:=20 /export/home/krowland/snort-2.1.3/etc/snort.conf(288) =3D> Invalid = IP to=20 'server' token.<BR></FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D937314518-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I guess you can't do a subnet - on a single=20 server...</FONT></SPAN></DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> Jeff Dell = [mailto:jdell@activeworx.com]=20 <BR><B>Sent:</B> Wednesday, June 16, 2004 11:15 AM<BR><B>To:</B> = 'Rowland,=20 Krisa W ERDC-ITL-MS Contractor';=20 Snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] = Ok, Ok=20 - I know - http_inspect<BR></FONT><BR></DIV> <DIV></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D811251316-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>It sounds like you want to only limit it to a = single=20 class C? and not a Class A? If this is the case you would want to = change the=20 subnet mask to /24</FONT></SPAN></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV><SPAN class=3D811251316-16062004><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Cheers,</FONT></SPAN></DIV> <DIV><SPAN class=3D811251316-16062004><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Jeff</FONT></SPAN></DIV> <DIV><BR></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B>=20 snort-users-admin@lists.sourceforge.net=20 [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of=20 </B>Rowland, Krisa W ERDC-ITL-MS Contractor<BR><B>Sent:</B> = Wednesday, June=20 16, 2004 11:54 AM<BR><B>To:</B>=20 'Snort-users@lists.sourceforge.net'<BR><B>Subject:</B> [Snort-users] = Ok, Ok=20 - I know - http_inspect<BR></FONT><BR></DIV> <DIV></DIV> <P><FONT face=3DArial size=3D2>I know I'm going to get slaughtered = for even=20 bringing up the subject of http_inspect. I've read through the = old=20 posts, and also read through the manual. I'm hoping that = someone can=20 offer clarification or guidance on this, though. I do not want = to=20 disable this option - but at the moment I'm going to have to - just = pouring=20 out too many alerts. </FONT></P> <P><FONT face=3DArial size=3D2>I tried to limit these alerts to only = my webfarm=20 subnet by doing this:</FONT> </P> <P><FONT face=3DArial size=3D2>preprocessor http_inspect_server: = server=20 x.x.x.0/8 \</FONT> <BR><FONT face=3DArial = size=3D2> profile=20 all ports { 80 8080 8180 } oversize_dir_length 500</FONT> </P> <P><FONT face=3DArial size=3D2>But it didn't like that. I'd = just like to=20 restrict these alerts to one subnet - how do I do that? = </FONT></P> <P><FONT face=3DArial size=3D2>Shouldn't I use the all profile if = I'm pretty=20 sure that I have apache and IIS servers? </FONT></P> <P><FONT face=3D"Book Antiqua" size=3D4>Krisa Rowland</FONT> = <BR><FONT=20 face=3D"Book Antiqua" size=3D2>ERDC Information Assurance = Team</FONT> <BR><FONT=20 face=3D"Book Antiqua" size=3D2>(SAIC Contractor)</FONT> <BR><FONT=20 face=3D"Book Antiqua" size=3D2>3909 Halls Ferry Rd., Bldg. = 8000</FONT>=20 <BR><FONT face=3D"Book Antiqua" size=3D2>Vicksburg, MS 39180</FONT> = <BR><FONT=20 face=3D"Book Antiqua" size=3D2>601-634-2493</FONT> <BR><FONT = face=3D"Book Antiqua"=20 size=3D2>krisa.w.rowland@erdc.usace.army.mil</FONT>=20 </P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_00F7_01C453B1.D147FFD0-- ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
