[sjconsulting at ...549...: [Snort-users] (http_inspect) NON-RFC HTTP DELIMITER issue]

Daniel Roelker droelker at ...1935...
Wed Jul 14 12:10:47 EDT 2004


The NON-RFC HTTP DELIMITER alert doesn't really false positive that
much.  All the alert means is that the standard '\r\n' delimiter was
replaced with '\n'.  A lot of exploits use this shorthand version and
picks up various HTTP scanners even if you don't have rules for it.  

In your case, I would just set the "iis_delimter" option to no.  This
will turn off the alert.  If you don't know what this means, then just
put 'no_alerts' at the end of your configuration, that's the easy way.

If you want more help, send your configuration to me offline and I'll
give you some suggestions.  I would still be interested in the pcap
though, just to verify that it's not a false positive.

Thanks,
Dan

On Wed, 2004-07-14 at 12:06, Jeremy Hewlett wrote:
> ----- Forwarded message from sjconsulting at ...549... -----
> 
> From: sjconsulting at ...549...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] (http_inspect) NON-RFC HTTP DELIMITER issue
> Return-Path: <snort-users-admin at lists.sourceforge.net>
> Date: Wed, 14 Jul 2004 11:21:28 -0400
> X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.25 (built Mar  3 2004)
> 
> I am receiving this alert and I know this alert is being generated by someone streaming "Yahoo Shoutcast" on my net...would you consider this be a false positive?  Is there a way to turn this specifc inspection/alert off? I was reading through the http_inspect and I did not see where it was that allowed me to do this. I am running RH9, Snort 2.1.3. I f there is anything else that I need to post to help you folks help me, please let me know.
> 
> TIA.
> 
> ~SJC
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> ----- End forwarded message -----
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-users mailing list