RE: [Snort-users] Ok, Ok - I know - http_inspect
This is a discussion on RE: [Snort-users] Ok, Ok - I know - http_inspect within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C453DF.5B8355A5 Content-Type: text/plain; charset="us-ascii&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-16-2004
|
|||
|
|||
RE: [Snort-users] Ok, Ok - I know - http_inspect
This is a multi-part message in MIME format.
------_=_NextPart_001_01C453DF.5B8355A5 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Do you have a lot of servers? Seems you may need to define each one; yes profile all would work (apache, IIS) =20 i.e.: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server 172.16.1.11 profile all ports { 80 443 } preprocessor http_inspect_server: server 172.16.1.12 profile all ports { 80 8080 } etc... =20 -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Jeff Dell Sent: Wednesday, June 16, 2004 11:54 AM To: 'Rowland, Krisa W ERDC-ITL-MS Contractor'; Snort-users@lists.sourceforge.net Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect =09 =09 You are correct. I misread your first email when you said that /8 didn't work, I assumed you meant it didn't limit the events. If you look at the docs at:=20 =20 =09 http://www.snort.org/docs/snort_manu...00381000000000 0000000=20 =20 You will see all of the options for http_inspect, maybe one of these will help limit the alerts you are getting. =20 Jeff _____ =20 From: Rowland, Krisa W ERDC-ITL-MS Contractor [mailto:Krisa.W.Rowland@erdc.usace.army.mil]=20 Sent: Wednesday, June 16, 2004 2:44 PM To: 'Jeff Dell'; Rowland, Krisa W ERDC-ITL-MS Contractor; Snort-users@lists.sourceforge.net Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect =09 =09 I get this error: =20 ERROR: /export/home/krowland/snort-2.1.3/etc/snort.conf(288) =3D> Invalid IP to 'server' token. =09 I guess you can't do a subnet - on a single server... _____ =20 From: Jeff Dell [mailto:jdell@activeworx.com]=20 Sent: Wednesday, June 16, 2004 11:15 AM To: 'Rowland, Krisa W ERDC-ITL-MS Contractor'; Snort-users@lists.sourceforge.net Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect =09 =09 It sounds like you want to only limit it to a single class C? and not a Class A? If this is the case you would want to change the subnet mask to /24 =20 Cheers, Jeff _____ =20 From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Rowland, Krisa W ERDC-ITL-MS Contractor Sent: Wednesday, June 16, 2004 11:54 AM To: 'Snort-users@lists.sourceforge.net' Subject: [Snort-users] Ok, Ok - I know - http_inspect =09 =09 I know I'm going to get slaughtered for even bringing up the subject of http_inspect. I've read through the old posts, and also read through the manual. I'm hoping that someone can offer clarification or guidance on this, though. I do not want to disable this option - but at the moment I'm going to have to - just pouring out too many alerts. =20 I tried to limit these alerts to only my webfarm subnet by doing this:=20 preprocessor http_inspect_server: server x.x.x.0/8 \=20 profile all ports { 80 8080 8180 } oversize_dir_length 500=20 But it didn't like that. I'd just like to restrict these alerts to one subnet - how do I do that? =20 Shouldn't I use the all profile if I'm pretty sure that I have apache and IIS servers? =20 Krisa Rowland=20 ERDC Information Assurance Team=20 (SAIC Contractor)=20 3909 Halls Ferry Rd., Bldg. 8000=20 Vicksburg, MS 39180=20 601-634-2493=20 krisa.w.rowland@erdc.usace.army.mil=20 ------_=_NextPart_001_01C453DF.5B8355A5 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Message</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff size=3D2><SPAN class=3D785141820-16062004>Do = you have a lot=20 of servers? Seems you may need to define each one; yes profile all = would=20 work (apache, IIS)</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff size=3D2><SPAN=20 class=3D785141820-16062004></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff size=3D2><SPAN=20 class=3D785141820-16062004>i.e.:</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff size=3D2><SPAN = class=3D785141820-16062004>preprocessor=20 http_inspect: global iis_unicode_map unicode.map 1252<BR>preprocessor=20 http_inspect_server: server 172.16.1.11 profile all ports { 80 443=20 }<BR>preprocessor http_inspect_server: server 172.16.1.12 = profile all ports=20 { 80 8080 }<BR>etc...</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff size=3D2><SPAN=20 class=3D785141820-16062004></SPAN></FONT> </DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV></DIV> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft><FONT=20 face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20 snort-users-admin@lists.sourceforge.net=20 [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of = </B>Jeff=20 Dell<BR><B>Sent:</B> Wednesday, June 16, 2004 11:54 AM<BR><B>To:</B> = 'Rowland,=20 Krisa W ERDC-ITL-MS Contractor';=20 Snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] = Ok, Ok=20 - I know - http_inspect<BR><BR></FONT></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>You are correct. I misread your first email = when you said=20 that /8 didn't work, I assumed you meant it didn't limit the=20 events.</FONT></SPAN><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2> If you look at the docs at: = </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2><A=20 = href=3D"http://www.snort.org/docs/snort_manual/node17.html#SECTION0038100= 00000000000000">http://www.snort.org/docs/snort_manu...7.html#SECTIO= N003810000000000000000</A> </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>You will see all of the options for = http_inspect, maybe=20 one of these will help limit the alerts you are = getting.</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D072314918-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>Jeff</FONT></SPAN></DIV><BR> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> Rowland, Krisa W = ERDC-ITL-MS=20 Contractor [mailto:Krisa.W.Rowland@erdc.usace.army.mil] = <BR><B>Sent:</B>=20 Wednesday, June 16, 2004 2:44 PM<BR><B>To:</B> 'Jeff Dell'; Rowland, = Krisa W=20 ERDC-ITL-MS Contractor; = Snort-users@lists.sourceforge.net<BR><B>Subject:</B>=20 RE: [Snort-users] Ok, Ok - I know - = http_inspect<BR></FONT><BR></DIV> <DIV></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D937314518-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I get this error:</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D937314518-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D937314518-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>ERROR:=20 /export/home/krowland/snort-2.1.3/etc/snort.conf(288) =3D> = Invalid IP to=20 'server' token.<BR></FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D937314518-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I guess you can't do a subnet - on a single = server...</FONT></SPAN></DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> Jeff Dell=20 [mailto:jdell@activeworx.com] <BR><B>Sent:</B> Wednesday, June 16, = 2004=20 11:15 AM<BR><B>To:</B> 'Rowland, Krisa W ERDC-ITL-MS Contractor';=20 Snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE: = [Snort-users] Ok,=20 Ok - I know - http_inspect<BR></FONT><BR></DIV> <DIV></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D811251316-16062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>It sounds like you want to only limit it to = a single=20 class C? and not a Class A? If this is the case you would want to = change the=20 subnet mask to /24</FONT></SPAN></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV><SPAN class=3D811251316-16062004><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Cheers,</FONT></SPAN></DIV> <DIV><SPAN class=3D811251316-16062004><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Jeff</FONT></SPAN></DIV> <DIV><BR></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B>=20 snort-users-admin@lists.sourceforge.net=20 [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of=20 </B>Rowland, Krisa W ERDC-ITL-MS Contractor<BR><B>Sent:</B> = Wednesday,=20 June 16, 2004 11:54 AM<BR><B>To:</B>=20 'Snort-users@lists.sourceforge.net'<BR><B>Subject:</B> = [Snort-users] Ok,=20 Ok - I know - http_inspect<BR></FONT><BR></DIV> <DIV></DIV> <P><FONT face=3DArial size=3D2>I know I'm going to get slaughtered = for even=20 bringing up the subject of http_inspect. I've read through = the old=20 posts, and also read through the manual. I'm hoping that = someone can=20 offer clarification or guidance on this, though. I do not = want to=20 disable this option - but at the moment I'm going to have to - = just=20 pouring out too many alerts. </FONT></P> <P><FONT face=3DArial size=3D2>I tried to limit these alerts to = only my=20 webfarm subnet by doing this:</FONT> </P> <P><FONT face=3DArial size=3D2>preprocessor http_inspect_server: = server=20 x.x.x.0/8 \</FONT> <BR><FONT face=3DArial = size=3D2> profile=20 all ports { 80 8080 8180 } oversize_dir_length 500</FONT> </P> <P><FONT face=3DArial size=3D2>But it didn't like that. I'd = just like to=20 restrict these alerts to one subnet - how do I do that? = </FONT></P> <P><FONT face=3DArial size=3D2>Shouldn't I use the all profile if = I'm pretty=20 sure that I have apache and IIS servers? </FONT></P> <P><FONT face=3D"Book Antiqua" size=3D4>Krisa Rowland</FONT> = <BR><FONT=20 face=3D"Book Antiqua" size=3D2>ERDC Information Assurance = Team</FONT>=20 <BR><FONT face=3D"Book Antiqua" size=3D2>(SAIC Contractor)</FONT> = <BR><FONT=20 face=3D"Book Antiqua" size=3D2>3909 Halls Ferry Rd., Bldg. = 8000</FONT>=20 <BR><FONT face=3D"Book Antiqua" size=3D2>Vicksburg, MS = 39180</FONT> <BR><FONT=20 face=3D"Book Antiqua" size=3D2>601-634-2493</FONT> <BR><FONT=20 face=3D"Book Antiqua" = size=3D2>krisa.w.rowland@erdc.usace.army.mil</FONT>=20 </P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C453DF.5B8355A5-- ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
