[Snort-users] RE: http\_inspect alerts

CMartin at ...9696... CMartin at ...9696...
Wed Dec 31 14:18:05 EST 2003

Yep, that configuration looks good.  And from what I understand too, if you
specify no_alerts then the prior lines (ascii no \ iis_delimiter no \ etc.
etc.) are not needed :)  And based on what I read in the snort manual (and
by read I mainly mean inferred, as this is not stated in the documentation)
the profile option is only there to quickly configure the http_decoder
alerts based on what web hosting server you are dealing with, so it is not a
mandatory switch.  

-----Original Message-----
From: adam_peterson at ...10608... [mailto:adam_peterson at ...10608...] 
Sent: Wednesday, December 31, 2003 2:57 PM
To: CMartin at ...9696...
Cc: snort-users at lists.sourceforge.net
Subject: re: http\_inspect alerts

i followed your example and ended up with this, not using a profile.  i 
was confused by the fact that not using a profile wasn't clearly stated as 
an option.  based on the docs i believed 1 of the 3 profiles MUST be used 
and therefore our options would be severely limited.  now i understand, i 
think, and i've essentially duplicated the 'all' profile without the
'non_rfc_char' option and so far so good.  no unwanted alerts generated by
http_inspect processor.

preprocessor http_inspect_server: server default \
flow_depth 300 \
chunk_length 500000 \
ascii no \
multi_slash no \
directory no \
apache_whitespace no \
double_decode no \
u_encode no \
bare_byte no \
iis_unicode no \
iis_backslash no \
iis_delimiter no \
no_alerts \
ports { 80 8080 }

also, i don't think i need all of the 'no' statements at the end of each 
option since i believe this is accomplished (succesfully this time...) by 
adding the 'no_alerts' statement.  to anyone reading this that may not be 
as up to speed as i *think* i am, the no parameter simply tells the 
processor whether or not to create an alert - it doesn't enable/disable 
that parameters functionality.  since the only alerts i'm concerned with 
come from rules, i've disabled them all.  i'm sure i'll forget most of 
this by monday.  :)

Adam Peterson | Senior WAN Engineer | SPL WorldGroup | 
adam_peterson at ...10608... | +1.415.357.4787

CMartin at ...9696...
12/31/2003 02:41 PM MST

        To:     adam_peterson at ...10608...
        cc:     snort-users at lists.sourceforge.net
        Subject:        RE: [Snort-users] re: http\_inspect alerts

Check out the new documentation for snort 2.1.0 and check out the new
http_decoder.  It will tell you about turning on and off and even
customizing some of the alerts!

-----Original Message-----
From: adam_peterson at ...10608... [mailto:adam_peterson at ...10608...] 
Sent: Wednesday, December 31, 2003 2:17 PM
To: jeff-kell at ...6282...
Cc: snort-users at lists.sourceforge.net
Subject: [Snort-users] re: http\_inspect alerts

i finally have 2.1.0 compiled and working on solaris 8 and now i'm 
catching up with you guys.  i'm getting the same  (http\_inspect) NON-RFC 
DEFINED CHAR alerts and i've tried disabling all alerts to no avail. based 

on the readme, adding no_alerts should disable ALL alerts and allow 
decoding to go on but it doesn't.

does anyone have any other ideas?  i'm going to fiddle for a while but 
since the no_alerts parameter doesn't work i think we have to find another 

way.  i couldn't care less about http packets with null characters!!!  i 
feel like a newbie again with the new decoders.


you wrote:

List:       snort-users
Subject:    Re: FW: [Snort-users] (http\_inspect) NON-RFC DEFINED CHAR
From:       Jeff Kell <jeff-kell () utc ! edu>
Date:       2003-12-31 1:39:44
Message-ID: <3FF228E0.8070501 () utc ! edu>
[Download message RAW]

CMartin at ...9696... wrote:

> Acutally, just this morning I noticed the same thing, also there are 
> http\_inspect alerts that are showing up in my DB.  I'm also looking for
> answers :D  I'll check out the archives incase this was addressed when 
> 2.1.0 was first released

I have http\_inspect down to controllable levels after generating a 
non-standard (read: not profile all) definition that all of the noise 
collects into:

> preprocessor http_inspect_server: server default \
>     ports { 80 8080 } \
>     flow_depth 300 \
>     ascii no \
>     utf_8 no \
>     bare_byte no \
>     base36 no \
>     iis_unicode no \
>     double_decode no \
>     non_rfc_char { 0x00 } \
>     multi_slash no \
>     iis_backslash no \
>     directory no \
>     apache_whitespace no \
>     iis_delimiter no \
>     chunk_length 64000 \
>     non_strict

This allows you to decode (normalize) anything remotely resembling an 
HTTP stream without generating (most) alerts.  I then use customized 
server definitions for our REAL servers by IP address (some of which 
work just fine with either the "iis" or "apache" profiles).

But fully 40% of my alerts are the NON-RFC DEFINED CHAR type and most 
are related to P2P traffic (not our real web servers, with an IIS 
exception).  It appears you can't turn this alert off (other than 
turning all alerting off, if even that works).

I've been through the ./docs/README.http_inspect.

The only other annoyance has been POP3 Brute force alerts which I 
suspect is some users with "auto check new mail" set really short,
or else there is some problem with the threshhold handler.


Adam Peterson | Senior WAN Engineer | SPL WorldGroup | 
adam_peterson at ...10608... | +1.415.357.4787

This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list