[Snort-devel] Problems with HTTP Inspect in Versions 2.6 - 2. 612

Erickson Brent W KPWA erickson at ...593...
Wed Jan 24 12:11:44 EST 2007


Hi Steve,

Thank you for the quick response.

I know you folks are busy.

The problem is that if we enable the default server, we receive hundreds and
thousands of alerts on all our outbound HTTP traffic.

We have other solutions for watching HTTP outbound traffic.

Is there any way around this?

We really want to run our specific http server config like we could with
version 2.4.5.

Brent Erickson


-----Original Message-----
From: Steven Sturges [mailto:steve.sturges at ...402...] 
Sent: Wednesday, January 24, 2007 9:05 AM
To: Erickson Brent W KPWA
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Problems with HTTP Inspect in Versions 2.6 -
2.612


Hi Brent--

You need to specify a default server config in addition to the specific
ones, so that if there is HTTP traffic going to a web-server other than the
specific ones, Http Inspect knows how to treat it.

This was a change made in 2.6 -- to require a default server config.

Your default config doesn't have to do anything special -- you can use the
one in the shipping snort.conf:

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

Cheers.
-steve

Erickson Brent W KPWA wrote:
> Hello all,
> 
> We have been using Snort since version 1.6
> 
> We were one of the sites that helped initially test the first release 
> of the HTTP Inspection PreProcessor with Dan Roelker.
> 
> Since version 2.4 and 2.45 or even before, we ran with the default 
> server config commented out and just used the global config and the 
> server config specific to our own HTTP servers.
> 
> Since version 2.6, Snort will exit upon start up and say that the 
> default server config is not active.
> 
> I've looked through the 2.6.1 manual and the HTTP Inspect readme and I 
> cannot find a solution.
> 
> I appreciate your help.
> 
> Brent Erickson
> 
> 
> 
> ----------------------------------------------------------------------
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 






More information about the Snort-devel mailing list