[Snort-users] Lots of http_inspect alerts - configuration hints?

Dahlmann, Stephan Stephan.Dahlmann at ...13502...
Wed Sep 28 01:26:56 EDT 2005


Hi all,

i am running an IDS with two sensors inside in our DMZ. One Sensor is
for LAN -> DMZ (Internet), one for DMZ -> LAN.
There are 3 squids running in our network (3 locations with one network)
and 2 IIS Web Servers.

Snort is installed from Debian Sarge package, version 2.3.1. Rules are
the standard rules, not all enabled...

The thing is: especially the proxies are generating lots of alerts,
mostly
(http_inspect) BARE BYTE UNICODE ENCODING 
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY 
(http_inspect) OVERSIZE CHUNK ENCODING 
and some more.

I figured out that there are several possibilities to configure or
disable http_inspect preprocessor, but some just don't work... 
Here is an extract from my snort.conf.eth1 which is LAN -> DMZ

------

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500


# IIS webserver inspect rule
preprocessor http_inspect_server: server 10.0.0.80 ports { 80 81 }
bare_byte no oversize_dir_length 600

# proxy-2 rule
preprocessor http_inspect_server: server 10.0.0.90 ports { 8080 }
bare_byte no

# proxy 3 rule
preprocessor http_inspect_server: server  10.0.0.70 ports { 80 8080 }
bare_byte no oversize_dir_length 600

# MS ISA server which will replace all three squids
preprocessor http_inspect_server: server 10.0.0.100 ports { 8080 }
bare_byte no oversize_dir_length 800

-----

As you see i already set the oversize_dir_length to 600! But still
getting alerts...

I suppose it's hard to say if i misconfigured something cause u don't
know my network, but some hints or 
explanations to the meaning and occasion of the alerts would be great...

thanks in advance,
stephan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050928/1192375b/attachment.html>


More information about the Snort-users mailing list