[Snort-users] v2.3 http_inspect help/issue?

Rich Adamson radamson at ...2127...
Sun Mar 6 05:48:36 EST 2005


Issue is with win32 Snort_230_Build10_Installer.exe pulled Saturday,
but probably applies to nix versions as well. It installs just fine. 
(FWIW, been using win32 snort since about the v1.8 days.)

In snort.conf, adding the "double_decode no" as in:

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500 double_decode no

causes the following startup error:

ERROR: E:\snort-v2-3\etc\snort.conf(308) => Invalid token while configuring the
profile token.  The only allowed tokens when configuring profiles are: 'ports',
'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l
ength', and 'inspect_uri_only'.
Fatal Error, Quitting..

Removing the double_decode parameter allows snort to start and function
in a very normal manner.

If I uncomment the ten-line example for http_inspect where the parameters
are applied to a "specific server", then the double_decode parameter
is accepted and snort runs fine.

It would seem like the double_decode parameter should be usable in the
default http_inspect statement as shown above. The logic in that thought
is essentially one of... the default startup parameter for this causes
a fair amount of noise when HOME_NET users visit EXTERNAL_NET web 
servers.

Previous postings have suggested the above preprocessor statement is needed
to normalize http traffic for certain rules. If that is true, then how
does one eliminate the many false positives associated with double
decodes if the parameter can't be applied to the default statement?

FWIW, several of the parameters shown in the snort.conf example are
_not_ acceptable in the above preprocessor statement, and cause snort
to exit with the above error message. Is this really the expected
behavior? (Perhaps my understanding of the preprocessor is not 
correct however.)

If I use the reverse logic for the preprocessor, it would suggest one
or more of the following:
a) the "server default" preprocessor line can never be used when
   snort is monitoring internet gateway traffic (both incoming and
   user outgoing http sessions), as it generates lots of false positives
   for HOME-NET to EXTERNAL_NET traffic (eg, external web servers)
   and there doesn't appear to be any way to manage those alerts.
b) if snort is monitoring internet gateway traffic and there are many
   internal web servers accessible from the internet, one would have
   to define a http_inspect section for "each" server, since it does
   not accept "server 1.2.3.0/24" logic.
c) the preprocessor does not accept variables (such as HTTP_SERVERS
   and HTTP_PORTS), therefore one http_inspect section has to be
   defined for "each" internal http server. Seems like a waste
   when one section could be applied to all internal http servers.
d) since the http_inspect preprocessor was apparently written to 
   help protect/identify issues with company-owned web servers
   (not external_net servers), the README_http_inspect text should
   probably address the above issues in a little bit more detail,
   and specifically talk about the "server default" statement.

Am I way off base or misunderstanding the preprocessor?

Rich






More information about the Snort-users mailing list