[Snort-users] http_inspect config options?

Jeremy Hewlett jh at ...1935...
Mon Feb 28 08:44:59 EST 2005

Hi Rich, *wave*

On Sun, Feb 27, Rich Adamson wrote:
> Okay, tried that, and regardless of how I format the line, snort responds
> with:
> ERROR: E:\snort-v2-3\etc\snort.conf(306) => Invalid token while configuring the
> profile token.  The only allowed tokens when configuring profiles are: 'ports',
> 'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l
> ength', and 'inspect_uri_only'.
> Fatal Error, Quitting..

Both Global and Profile configuration directives have a limited set of
overrides. If you want to change a profile (read: IIS, Apache), you
should replace your IIS/Apache/All profile with a Server configuration
and include the options you want:

preprocessor http_inspect_server: server \
    ports { 80 3128 8080 } \
    flow_depth 0 \
    ascii no \
    double_decode no \
    non_rfc_char { 0x00 } \
    chunk_length 500000 

Remember when specifying "yes" or "no" that all you're modifying 
is whether or not to *alert* on that type of encoding. Including it in
the configuration will automatically enable that type of scrubbing.

More information about the Snort-users mailing list