Re: [Snort-users] Ok, Ok - I know - http_inspect

I put no_alerts to stop all gen_id 119 alerts for now
- snort runs and shows it in effect, since most if not
ALL of these alerts are from internal web servers (we
have too many), which are under normal usage. I guess
there are bigger fish in the pond.

BTW, I did use threshold.conf to suppress gen_id 119
alerts, it won't stop them.

Thank you so much again!



--- sekure <sekure@gmail.com> wrote:
> What are you trying to do? Those alerts look
> legitimate, as in, you
> configure http_inspect_server to only notify you of
> attacks it spots
> in URI content, and according to snort documentation
> "When enabled,
> only the URI portion of HTTP requests will be
> inspected for attacks.
> As this field usually contains 90-95% of the web
> attacks, you'll catch
> most of the attacks."
>
> So you are still getting the alerts. I couldn't
> find an acceptible
> configuration of http_inspect_server which didn't
> generate a ton of
> false positives, and i tried EVERYTHING. I still
> wanted to be able to
> use the uricontent keyword, so i needed
> http_inspect, so i defined
> http_inspect_server as:
>
> preprocessor http_inspect_server: server default \
> profile apache \
> ports { 80 8080 } \
> no_alerts
>
> The no_alerts stops all of the gen_id 119 alerts
> from showing up.
>
> On Fri, 18 Jun 2004 06:04:34 -0700 (PDT), Snortty
> <cwcwcwg@yahoo.com> wrote:
> >
> > All,
> >
> > I have set up to enable inspect_uri_only:
> >
> > preprocessor http_inspect_server: server default \
> > profile all ports { 80 8080 8180 }
> > oversize_dir_length 500 inspect_uri_only
> >
> > and when I run snort, it did show:
> >
> > Only inspect URI: YES
> >
> > but I still have hundreds of http_inspect alerts
> in
> > short period of time, like the kinds:
> >
> > [**] [119:15:1] (http_inspect) OVERSIZE
> REQUEST-URI
> > DIRECTORY [**]
> > [**] [119:13:1] (http_inspect) NON-RFC HTTP
> DELIMITER
> > [**]
> > [**] [119:16:1] (http_inspect) OVERSIZE CHUNK
> ENCODING
> > [**]
> > [**] [119:4:1] (http_inspect) BARE BYTE UNICODE
> > ENCODING [**]
> > [**] [119:12:1] (http_inspect) APACHE WHITESPACE
> (TAB)
> > [**]
> > [**] [119:2:1] (http_inspect) DOUBLE DECODING
> ATTACK
> > [**]
> >
> > Can someone shed some lights on it please?
> >
> > Thanks
> > Sw.
> ---snipped---
>
>
>
-------------------------------------------------------
> This SF.Net email is sponsored by The 2004
> JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's
> Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center
> in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf
> Priority Code NWMGYKND
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.p...st=snort-users
>




__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users