[Snort-users] http inspect editing

Matt Kettler mkettler at ...4108...
Thu Feb 24 13:48:30 EST 2005


At 03:51 PM 2/24/2005, David Naylor wrote:
>    Does anyone know how to edit unclassified rules?  For example, I would 
> like to edit or delete the rule for "double decoding attack" - http_inspect

That's not a rule at all, it's an alert generated by a preprocessor.

Since it's not a rule, you'd need to modify the source code for 
http_inspect and recompile snort to do any kind of edit.

However, you can change the parameters you pass to http_inspect in your 
snort.conf to disable this detection. Just add "double_decode no" to your 
profile in snort.conf.

My personaly approach is to not have any "default" http_inspect. I only run 
http_inspect against my specific webservers.
i.e:

preprocessor http_inspect_server: server 208.39.141.94 \
     profile all ports <censored rest of config>


See the README.http_inspect that comes with the snort tarball for a bit 
more detail on what kinds of things you can tell http_inspect to do or not do.








More information about the Snort-users mailing list