Re: [Snort-users] Ok, Ok - I know - http_inspect
This is a discussion on Re: [Snort-users] Ok, Ok - I know - http_inspect within the Snort forums, part of the System Security and Security Related category; All, I have set up to enable inspect_uri_only: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-18-2004
|
|||
|
|||
Re: [Snort-users] Ok, Ok - I know - http_inspect
All,
I have set up to enable inspect_uri_only: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 inspect_uri_only and when I run snort, it did show: Only inspect URI: YES but I still have hundreds of http_inspect alerts in short period of time, like the kinds: [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**] Can someone shed some lights on it please? Thanks Sw. --- sekure <sekure@gmail.com> wrote: > You are missing a slash after your unicode > statement. > All http_inspect config options want to be part of > the same line, the > \ escapes the carriage return. Try this: > > preprocessor http_inspect: global \ > iis_unicode_map unicode.map 1252 \ <--- Notice > that slash > inspect_uri_only > > > > On Thu, 17 Jun 2004 12:00:52 -0700 (PDT), Snortty > <cwcwcwg@yahoo.com> wrote: > > > > It's true that one can not specify a subnet, but > singe > > IP or global. > > > > But, I want to use inspect_uri_only enabled for > ALL > > http_inspect alerts, can only make it work if I > enter > > an IP address to replace default sever 1.1.1.1. > > > > It won't work if I put it like (in snort.conf): > > > > preprocessor http_inspect: global \ > > iis_unicode_map unicode.map 1252 > > inspect_uri_only > > > > snort won't run, and detect error due to this > line. > > > > Can anyone tell me how to enable this > > > > inspect_uri_only > > > > for ALL http_inspect alerts (so no such alerts > will be > > logged except uricontent inspection please? > > > > THANK YOU! > > Sty > > > > > > > > --- SN ORT <snort_on_acid@yahoo.com> wrote: > > > I don't believe you will be able to specify a > > > subnet. > > > I tried that awhile ago and couldn't get it to > work. > > > It's either global or server-specific. > > > > > > Cheese! > > > > > > Marc > > > > > > --__--__-- > > > > > > Message: 1 > > > Wrom: WFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRESKPNK > > > <Krisa.W.Rowland@erdc.usace.army.mil> > > > To: "'Snort-users@lists.sourceforge.net'" > > > <Snort-users@lists.sourceforge.net> > > > Date: Wed, 16 Jun 2004 10:53:56 -0500 > > > Subject: [Snort-users] Ok, Ok - I know - > > > http_inspect > > > > > > This message is in MIME format. Since your mail > > > reader > > > does not understand > > > this format, some or all of this message may not > be > > > legible. > > > > > > ------_=_NextPart_001_01C453BA.219029D8 > > > Content-Type: text/plain > > > > > > I know I'm going to get slaughtered for even > > > bringing > > > up the subject of > > > http_inspect. I've read through the old posts, > and > > > also read through the > > > manual. I'm hoping that someone can offer > > > clarification or guidance on > > > this, though. I do not want to disable this > option > > > - > > > but at the moment I'm > > > going to have to - just pouring out too many > alerts. > > > > > > I tried to limit these alerts to only my webfarm > > > subnet by doing this: > > > > > > preprocessor http_inspect_server: server > x.x.x.0/8 \ > > > profile all ports { 80 8080 8180 } > > > oversize_dir_length 500 > > > > > > But it didn't like that. I'd just like to > restrict > > > these alerts to one > > > subnet - how do I do that? > > > > > > Shouldn't I use the all profile if I'm pretty > sure > > > that I have apache and > > > IIS servers? > > > > > > Krisa Rowland > > > <snip> > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > > protection around > > > http://mail.yahoo.com > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email is sponsored by The 2004 > > > JavaOne(SM) Conference > > > Learn from the experts at JavaOne(SM), Sun's > > > Worldwide Java Developer > > > Conference, June 28 - July 1 at the Moscone > Center > > > in San Francisco, CA > > > REGISTER AND SAVE! > http://java.sun.com/javaone/sf > > > Priority Code NWMGYKND > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users@lists.sourceforge.net > > > Go to this URL to change user options or > > > unsubscribe: > > > > > > https://lists.sourceforge.net/lists/...fo/snort-users > > > Snort-users list archive: > > > > > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Mail Address AutoComplete - You start. We > finish. > > http://promotions.yahoo.com/new_mail > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by The 2004 > JavaOne(SM) Conference > > Learn from the experts at JavaOne(SM), Sun's > Worldwide Java Developer > > Conference, June 28 - July 1 at the Moscone Center > in San Francisco, CA > > REGISTER AND SAVE! http://java.sun.com/javaone/sf > Priority Code NWMGYKND > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or > unsubscribe: > > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
