[Snort-users] http_inspect question

Matt Kettler mkettler at ...4108...
Mon Oct 25 13:28:05 EDT 2004


At 02:53 PM 10/25/2004, Stevo wrote:
>I just installed Snort and am receiving a number of these http_inspect 
>errors.  They are all between internal hosts and my OWA server in my DMZ 
>and I'd like to disable them, but I can't work out how!

<bares savage teeth>

>Any ideas for me??  Please be gentle!

(Aw.. darn.. he asked me to be gentle)

  <slowly lips retract over teeth>


Look in snort.conf:

preprocessor http_inspect_server: server default \
     profile all ports { 80 8080 8180 } oversize_dir_length 500

This makes http_inspect monitor more-or-less anything as a server, and any 
path over 500 bytes triggers an oversize directory. This tends to be a bit 
noisy.

Instead, you can tell http_inspect only to monitor specific servers for 
attack, and/or modify the "oversize_dir_length" to an appropriate value for 
your server software:

preprocessor http_inspect_server: server 1.1.1.1 \
     profile all ports { 80 } oversize_dir_length 400
preprocessor http_inspect_server: server 2.2.2.2 \
     profile all ports { 80 } oversize_dir_length 600

You can also customize other settings, check in README.http_inspect in the 
doc subdir of the tarball.

I don't know of any way to ignore specific clients, so in general your best 
bet is to relax the settings for that server to the actual thresholds for 
the system.

You might also want to change from "profile all" to "profile iis" or 
"profile apache" as appropriate. This will disable some unnecessary 
detections that don't affect the particular platform. "all" tends to be a 
hodge-podge mode which detects anything which might trouble either kind of 
server.






More information about the Snort-users mailing list