Re: [Snort-users] Ok, Ok - I know - http_inspect
This is a discussion on Re: [Snort-users] Ok, Ok - I know - http_inspect within the Snort forums, part of the System Security and Security Related category; What are you trying to do? Those alerts look legitimate, as in, you configure http_inspect_server to only notify you of ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-18-2004
|
|||
|
|||
Re: [Snort-users] Ok, Ok - I know - http_inspect
What are you trying to do? Those alerts look legitimate, as in, you
configure http_inspect_server to only notify you of attacks it spots in URI content, and according to snort documentation "When enabled, only the URI portion of HTTP requests will be inspected for attacks. As this field usually contains 90-95% of the web attacks, you'll catch most of the attacks." So you are still getting the alerts. I couldn't find an acceptible configuration of http_inspect_server which didn't generate a ton of false positives, and i tried EVERYTHING. I still wanted to be able to use the uricontent keyword, so i needed http_inspect, so i defined http_inspect_server as: preprocessor http_inspect_server: server default \ profile apache \ ports { 80 8080 } \ no_alerts The no_alerts stops all of the gen_id 119 alerts from showing up. On Fri, 18 Jun 2004 06:04:34 -0700 (PDT), Snortty <cwcwcwg@yahoo.com> wrote: > > All, > > I have set up to enable inspect_uri_only: > > preprocessor http_inspect_server: server default \ > profile all ports { 80 8080 8180 } > oversize_dir_length 500 inspect_uri_only > > and when I run snort, it did show: > > Only inspect URI: YES > > but I still have hundreds of http_inspect alerts in > short period of time, like the kinds: > > [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI > DIRECTORY [**] > [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER > [**] > [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING > [**] > [**] [119:4:1] (http_inspect) BARE BYTE UNICODE > ENCODING [**] > [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) > [**] > [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK > [**] > > Can someone shed some lights on it please? > > Thanks > Sw. ---snipped--- ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
