[Snort-users] http_inspect config options?

Rich Adamson radamson at ...2127...
Sun Mar 6 03:01:57 EST 2005


Tried the suggest line but still get:

ERROR: E:\snort-v2-3\etc\snort.conf(308) => Invalid token while configuring the
profile token.  The only allowed tokens when configuring profiles are: 'ports',
'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l
ength', and 'inspect_uri_only'.
Fatal Error, Quitting..

Looks like a Win32 coding problem to me, where the double_decode is
not being included.

------------------------
> You might want to try editing the line?
> 
> preprocessor http_inspect_server: server 10.1.0.3 profile iis ports { 80
> 8080 8180 } oversize_dir_length 500 double_decode no
> 
> Kindest regards, 
> Michael...
> 
> WINSNORT.com Management Team Member
> -- 
> Pick up your FREE Windows or UNIX Snort installation guides       
> mailto:support at ...9077...
> Website: http://www.winsnort.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> > admin at lists.sourceforge.net] On Behalf Of Rich Adamson
> > Sent: Saturday, February 26, 2005 4:56 AM
> > To: Snort Users Postings
> > Subject: [Snort-users] http_inspect config options?
> > 
> > 
> > I'm trying to tune the http_inspect preprocessor on a v2.3rc2 win32
> > system using an entry like:
> > 
> > preprocessor http_inspect_server: server 10.1.0.3 \
> >     profile iis ports { 80 8080 8180 } oversize_dir_length 500 \
> >     double_decode no
> > 
> > After making the change to include the "double_decode no" statement,
> > snort fails to start complain about that statement. Commenting it
> > out allows snort to start correctly.
> > 
> > The doc\README.http_inspect file suggests this is a valid option,
> > but I can't seem to find a syntax that actually is accepted. The
> > sample in the etc\snort.conf suggests I'm using the correct syntax
> > but obviously something is amiss.
> > 
> > Thoughts anyone?
> > 
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

---------------End of Original Message-----------------






More information about the Snort-users mailing list