[Snort-users] Re: v2.3 http_inspect help/issue?

marc norton marc.norton at ...1935...
Mon Mar 7 07:33:17 EST 2005


The way to handles this is to not use a profile, but instead enable just 
the features you want for the server.  The documentation readme defines 
the attributes defined for each server, and what is available to create 
a ciustom server.

Rich Adamson wrote:
> Issue is with win32 Snort_230_Build10_Installer.exe pulled Saturday,
> but probably applies to nix versions as well. It installs just fine. 
> (FWIW, been using win32 snort since about the v1.8 days.)
> 
> In snort.conf, adding the "double_decode no" as in:
> 
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 double_decode no
> 
> causes the following startup error:
> 
> ERROR: E:\snort-v2-3\etc\snort.conf(308) => Invalid token while configuring the
> profile token.  The only allowed tokens when configuring profiles are: 'ports',
> 'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l
> ength', and 'inspect_uri_only'.
> Fatal Error, Quitting..
> 
> Removing the double_decode parameter allows snort to start and function
> in a very normal manner.
> 
> If I uncomment the ten-line example for http_inspect where the parameters
> are applied to a "specific server", then the double_decode parameter
> is accepted and snort runs fine.
> 
> It would seem like the double_decode parameter should be usable in the
> default http_inspect statement as shown above. The logic in that thought
> is essentially one of... the default startup parameter for this causes
> a fair amount of noise when HOME_NET users visit EXTERNAL_NET web 
> servers.
> 
> Previous postings have suggested the above preprocessor statement is needed
> to normalize http traffic for certain rules. If that is true, then how
> does one eliminate the many false positives associated with double
> decodes if the parameter can't be applied to the default statement?
> 
> FWIW, several of the parameters shown in the snort.conf example are
> _not_ acceptable in the above preprocessor statement, and cause snort
> to exit with the above error message. Is this really the expected
> behavior? (Perhaps my understanding of the preprocessor is not 
> correct however.)
> 
> If I use the reverse logic for the preprocessor, it would suggest one
> or more of the following:
> a) the "server default" preprocessor line can never be used when
>    snort is monitoring internet gateway traffic (both incoming and
>    user outgoing http sessions), as it generates lots of false positives
>    for HOME-NET to EXTERNAL_NET traffic (eg, external web servers)
>    and there doesn't appear to be any way to manage those alerts.
> b) if snort is monitoring internet gateway traffic and there are many
>    internal web servers accessible from the internet, one would have
>    to define a http_inspect section for "each" server, since it does
>    not accept "server 1.2.3.0/24" logic.
> c) the preprocessor does not accept variables (such as HTTP_SERVERS
>    and HTTP_PORTS), therefore one http_inspect section has to be
>    defined for "each" internal http server. Seems like a waste
>    when one section could be applied to all internal http servers.
> d) since the http_inspect preprocessor was apparently written to 
>    help protect/identify issues with company-owned web servers
>    (not external_net servers), the README_http_inspect text should
>    probably address the above issues in a little bit more detail,
>    and specifically talk about the "server default" statement.
> 
> Am I way off base or misunderstanding the preprocessor?
> 
> Rich
> 
> 

-- 
Marc Norton   Snort Team Lead
410-423-1924  mnorton at ...1935...
www.snort.org www.sourcefire.com




More information about the Snort-users mailing list