[Snort-users] http inspect editing
mkettler at ...4108...
Thu Feb 24 13:48:30 EST 2005
At 03:51 PM 2/24/2005, David Naylor wrote:
> Does anyone know how to edit unclassified rules? For example, I would
> like to edit or delete the rule for "double decoding attack" - http_inspect
That's not a rule at all, it's an alert generated by a preprocessor.
Since it's not a rule, you'd need to modify the source code for
http_inspect and recompile snort to do any kind of edit.
However, you can change the parameters you pass to http_inspect in your
snort.conf to disable this detection. Just add "double_decode no" to your
profile in snort.conf.
My personaly approach is to not have any "default" http_inspect. I only run
http_inspect against my specific webservers.
preprocessor http_inspect_server: server 126.96.36.199 \
profile all ports <censored rest of config>
See the README.http_inspect that comes with the snort tarball for a bit
more detail on what kinds of things you can tell http_inspect to do or not do.
More information about the Snort-users