FW: [Snort-users] (http\_inspect) NON-RFC DEFINED CHAR

Jeff Kell jeff-kell at ...6282...
Tue Dec 30 17:44:01 EST 2003


CMartin at ...9696... wrote:

> Acutally, just this morning I noticed the same thing, also there are other
> http\_inspect alerts that are showing up in my DB.  I'm also looking for
> answers :D  I'll check out the archives incase this was addressed when snort
> 2.1.0 was first released

I have http\_inspect down to controllable levels after generating a 
non-standard (read: not profile all) definition that all of the noise 
collects into:

> preprocessor http_inspect_server: server default \
>     ports { 80 8080 } \
>     flow_depth 300 \
>     ascii no \
>     utf_8 no \
>     bare_byte no \
>     base36 no \
>     iis_unicode no \
>     double_decode no \
>     non_rfc_char { 0x00 } \
>     multi_slash no \
>     iis_backslash no \
>     directory no \
>     apache_whitespace no \
>     iis_delimiter no \
>     chunk_length 64000 \
>     non_strict

This allows you to decode (normalize) anything remotely resembling an 
HTTP stream without generating (most) alerts.  I then use customized 
server definitions for our REAL servers by IP address (some of which 
work just fine with either the "iis" or "apache" profiles).

But fully 40% of my alerts are the NON-RFC DEFINED CHAR type and most 
are related to P2P traffic (not our real web servers, with an IIS 
exception).  It appears you can't turn this alert off (other than 
turning all alerting off, if even that works).

I've been through the ./docs/README.http_inspect.

The only other annoyance has been POP3 Brute force alerts which I 
suspect is some users with "auto check new mail" set really short,
or else there is some problem with the threshhold handler.

Jeff





More information about the Snort-users mailing list