[Snort-users] trouble with http_inspect

Jeremy Hewlett jh at ...1935...
Mon Oct 18 10:51:02 EDT 2004


On Mon, Oct 18, Larry Wichman wrote:
> 
>    I  am  having  trouble config'n my http inspect preprocessor. I do not
>    want Apache_Whitespace alerts. Here is my config:
> 
>    preprocessor http_inspect: global \
>        iis_unicode_map unicode.map 1252\

Remove this backslash after 1252. You're trying to line-continue a
global statement into a default statement.

>    #
>    preprocessor http_inspect_server: server default \
>        profile all ports { 80 8080 8180 } oversize_dir_length 500 \
>        apache_whitespace no

Also, you can only modify a profile with ports, iis_unicode_map,
allow_proxy_use, flow_depth, no_alerts, oversize_dir_length, and,
inspect_uri_only. 

If all you're trying to do is squash alerts, just add no_alerts and
create some "server <ip of my http server>" entries for what you're
interested in protecting. Note that you can't define servers with
netmasks yet - that functionality is coming.






More information about the Snort-users mailing list