[Snort-users] http_inpect appears to mangle contents

Giles, David C. gilesdc at ...894...
Thu Oct 21 15:11:11 EDT 2004


   I am new to snort and am setting up snort 2.2.0 on a FreeBSD 4.8
system.  I used the "port" build process to build snort and pcre 5.0.

   I have one simple rule:

      redalert tcp any any -> any any (content:"my snort test"; nocase;)


   In snort.conf I have the default http_inpect statements:

      preprocessor http_inspect: global \
         iis_unicode_map /home/snort/snort/conf/unicode.map 1252

      preprocessor http_inspect_server: server default \
         profile all ports { 80 8080 8180 } oversize_dir_length 500

I start snort with:

      /usr/local/bin/snort -c $CONFIG_DIR/snort.conf -u snort -I sk0 -l
/tmp2/snort-logs -k none -z 

   If I comment out the above http_inspect lines in snort.conf then
snort detects my test page otherwise it does not.  

   The test server is an Apache 2.0.45 server and the test page is:

<html><body>
A page to trigger a snort alarm<br>
This is a flat page with "My SnORt test" for testing snort.
</body></html>

   Any assistance would be appreciated.

Thanks,
David Giles




More information about the Snort-users mailing list