[Snort-users] Having http_inspect problems, can't turn options off]

Daniel Roelker droelker at ...1935...
Mon Aug 16 07:49:16 EDT 2004


Hi, 

Your two unique http_inspect_server configs are wrong.  You need to add
what ports to inspect on each of those configs.  For example, 

preprocessor http_inspect_server: server xxx.xxx.158.212 \
    ports { 80 } ascii no bare_byte no iis_unicode no double_decode no

Without specifying a list of HTTP ports on a unique server profile,
you'll just end up using the default profile which in your case has the
bare_byte encoding turned on.  So that's why you're seeing the alerts.

Dan

On Mon, 2004-08-09 at 13:40, Jeremy Hewlett wrote:
> ----- Forwarded message from Chris Schock <black at ...12235...> -----
> 
> From: "Chris Schock" <black at ...12235...>
> To: snort-users at lists.sourceforge.net
> Reply-To: black at ...12235...
> Subject: [Snort-users] Having http_inspect problems, can't turn options off
> Return-Path: <snort-users-admin at lists.sourceforge.net>
> Date: Fri, 6 Aug 2004 10:33:57 -0600 (MDT)
> User-Agent: SquirrelMail/1.4.3a-0.f1.1
> X-Mailer: SquirrelMail/1.4.3a-0.f1.1
> 
> I am using Snort 2.2 RC1
> 
> Here is my http_inspect config in snort.conf"
> 
> ================
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252 \
>     proxy_alert
> 
> preprocessor http_inspect_server: server xxx.xxx.158.212 bare_byte no
> preprocessor http_inspect_server: server xxx.xxx.158.213 no_alerts
> 
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 } oversize_dir_length 500
> ================
> 
> My problem is that I am still getting lots and lots of "BARE BYTE UNICODE
> ENCODING" alerts for both servers, despite trying to suppress that
> specific alert for one, and turning alerting completely off for the other.
> I tried turning it off globally as well, but whenever I try that snort
> complains that there is a configuration problem.
> 
> What am I doing wrong?
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> ----- End forwarded message -----
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-users mailing list