[Snort-users] http_inpect appears to mangle contents

Andreas Östling andreaso at ...236...
Fri Oct 15 00:43:25 EDT 2004


On Thursday 14 October 2004 23:02, Giles, David C. wrote:
>    If I comment out the above http_inspect lines in snort.conf then
> snort detects my test page otherwise it does not.
>
>    The test server is an Apache 2.0.45 server and the test page is:
>
> <html><body>
> A page to trigger a snort alarm<br>
> This is a flat page with "My SnORt test" for testing snort.
> </body></html>

Perhaps you need to adjust flow_depth (see doc/README.http_inspect).
As a test, add "flow_depth 0" to your http_inspect_server statement and see if 
it helps:

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0

This can impact performance though.

/Andreas




More information about the Snort-users mailing list