[Snort-users] Having http_inspect problems, can't turn options off]

Daniel Roelker droelker at ...1935...
Mon Aug 16 07:49:22 EDT 2004


Hi Kenneth,

> I have recently experienced similar problems and this is what I have done to
> fix it. I turned off alerting because of the over abundance of False
> Positives. I believe that the false positives are in response to the SRC IP
> Address has a high port number. 

You were probably seeing encoding alerts because of the URL encodings
that various web clients were using on your network and the different
web applications that you are running.  Not because of a bug in the
processing.

The reason that you are seeing high src ports in the alerts is because
web clients use high src ports to communicate to web servers.  If you
look at your alerts, you'll see that the dst port is 80 (or another port
that you defined as an HTTP port).  This is the port that counts for the
encoding alerts, not the src port since that changes with each request
of the web client.

We are always trying to reduce false positives that occur with
http_inspect, so anyone that has false positive scenarios please email
them to either me or nigel[at]sourcefire[dot]com.  Packet dumps are
necessary for correct documentation of the false positive.

Thanks.

-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-users mailing list