[Snort-devel] Problems with HTTP Inspect in Versions 2.6 - 2. 612

Steven Sturges steve.sturges at ...402...
Wed Jan 24 13:51:50 EST 2007


Try adding the 'no_alerts' option to the default config.

Cheers.
-steve

Erickson Brent W KPWA wrote:
> Hi Steve,
> 
> Thank you for the quick response.
> 
> I know you folks are busy.
> 
> The problem is that if we enable the default server, we receive hundreds and
> thousands of alerts on all our outbound HTTP traffic.
> 
> We have other solutions for watching HTTP outbound traffic.
> 
> Is there any way around this?
> 
> We really want to run our specific http server config like we could with
> version 2.4.5.
> 
> Brent Erickson
> 
> 
> -----Original Message-----
> From: Steven Sturges [mailto:steve.sturges at ...402...] 
> Sent: Wednesday, January 24, 2007 9:05 AM
> To: Erickson Brent W KPWA
> Cc: 'snort-devel at lists.sourceforge.net'
> Subject: Re: [Snort-devel] Problems with HTTP Inspect in Versions 2.6 -
> 2.612
> 
> 
> Hi Brent--
> 
> You need to specify a default server config in addition to the specific
> ones, so that if there is HTTP traffic going to a web-server other than the
> specific ones, Http Inspect knows how to treat it.
> 
> This was a change made in 2.6 -- to require a default server config.
> 
> Your default config doesn't have to do anything special -- you can use the
> one in the shipping snort.conf:
> 
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500
> 
> Cheers.
> -steve
> 
> Erickson Brent W KPWA wrote:
>> Hello all,
>>
>> We have been using Snort since version 1.6
>>
>> We were one of the sites that helped initially test the first release 
>> of the HTTP Inspection PreProcessor with Dan Roelker.
>>
>> Since version 2.4 and 2.45 or even before, we ran with the default 
>> server config commented out and just used the global config and the 
>> server config specific to our own HTTP servers.
>>
>> Since version 2.6, Snort will exit upon start up and say that the 
>> default server config is not active.
>>
>> I've looked through the 2.6.1 manual and the HTTP Inspect readme and I 
>> cannot find a solution.
>>
>> I appreciate your help.
>>
>> Brent Erickson
>>
>>
>>
>> ----------------------------------------------------------------------
>> ---
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
>> opinions on IT & business topics through brief surveys - and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
> 
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list