Re: [Snort-users] Ok, Ok - I know - http_inspect
This is a discussion on Re: [Snort-users] Ok, Ok - I know - http_inspect within the Snort forums, part of the System Security and Security Related category; Yes, but is that really gen_id 119? I mean you can threshold the snort sigs but I don't know ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-18-2004
|
|||
|
|||
Re: [Snort-users] Ok, Ok - I know - http_inspect
Yes, but is that really gen_id 119? I mean you can
threshold the snort sigs but I don't know that you can threshold inspect alerts! Anyone try to threshold decode or inspect alerts? I don't know because I have not looked at threshold too much, but I do know that you have to specify a sig_id, which these particular alerts do not have. Good luck sir! Cheese! Marc --- Snortty <cwcwcwg@yahoo.com> wrote: > > I put no_alerts to stop all gen_id 119 alerts for > now > - snort runs and shows it in effect, since most if > not > ALL of these alerts are from internal web servers > (we > have too many), which are under normal usage. I > guess > there are bigger fish in the pond. > > BTW, I did use threshold.conf to suppress gen_id 119 > alerts, it won't stop them. > > Thank you so much again! > > > > --- sekure <sekure@gmail.com> wrote: > > What are you trying to do? Those alerts look > > legitimate, as in, you > > configure http_inspect_server to only notify you > of > > attacks it spots > > in URI content, and according to snort > documentation > > "When enabled, > > only the URI portion of HTTP requests will be > > inspected for attacks. > > As this field usually contains 90-95% of the web > > attacks, you'll catch > > most of the attacks." > > > > So you are still getting the alerts. I couldn't > > find an acceptible > > configuration of http_inspect_server which didn't > > generate a ton of > > false positives, and i tried EVERYTHING. I still > > wanted to be able to > > use the uricontent keyword, so i needed > > http_inspect, so i defined > > http_inspect_server as: > > > > preprocessor http_inspect_server: server default \ > > profile apache \ > > ports { 80 8080 } \ > > no_alerts > > > > The no_alerts stops all of the gen_id 119 alerts > > from showing up. > > > > On Fri, 18 Jun 2004 06:04:34 -0700 (PDT), Snortty > > <cwcwcwg@yahoo.com> wrote: > > > > > > All, > > > > > > I have set up to enable inspect_uri_only: > > > > > > preprocessor http_inspect_server: server default > \ > > > profile all ports { 80 8080 8180 } > > > oversize_dir_length 500 inspect_uri_only > > > > > > and when I run snort, it did show: > > > > > > Only inspect URI: YES > > > > > > but I still have hundreds of http_inspect alerts > > in > > > short period of time, like the kinds: > > > > > > [**] [119:15:1] (http_inspect) OVERSIZE > > REQUEST-URI > > > DIRECTORY [**] > > > [**] [119:13:1] (http_inspect) NON-RFC HTTP > > DELIMITER > > > [**] > > > [**] [119:16:1] (http_inspect) OVERSIZE CHUNK > > ENCODING > > > [**] > > > [**] [119:4:1] (http_inspect) BARE BYTE UNICODE > > > ENCODING [**] > > > [**] [119:12:1] (http_inspect) APACHE WHITESPACE > > (TAB) > > > [**] > > > [**] [119:2:1] (http_inspect) DOUBLE DECODING > > ATTACK > > > [**] > > > > > > Can someone shed some lights on it please? > > > > > > Thanks > > > Sw. > > ---snipped--- > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by The 2004 > > JavaOne(SM) Conference > > Learn from the experts at JavaOne(SM), Sun's > > Worldwide Java Developer > > Conference, June 28 - July 1 at the Moscone Center > > in San Francisco, CA > > REGISTER AND SAVE! http://java.sun.com/javaone/sf > > Priority Code NWMGYKND > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or > > unsubscribe: > > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - Helps protect you from nasty viruses. > http://promotions.yahoo.com/new_mail > > > ------------------------------------------------------- > This SF.Net email is sponsored by The 2004 > JavaOne(SM) Conference > Learn from the experts at JavaOne(SM), Sun's > Worldwide Java Developer > Conference, June 28 - July 1 at the Moscone Center > in San Francisco, CA > REGISTER AND SAVE! http://java.sun.com/javaone/sf > Priority Code NWMGYKND > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or > unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
