[Snort-users] HTTP inspect problem

redwookie at ...11827... redwookie at ...11827...
Tue Dec 1 14:59:59 EST 2009


Hey all - relative noob issue, but I cannot locate an answer anywhere else.
Been fighting with issues in the snort.conf file, and I cannot get past it.
Working with Snort 2.8.5.1 on Win2003 with IDScenter 1.1 rc4.
Error is "Must configure the HTTP inspect global configuration first."

Here's the relevant section from my snort.conf file:
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180
preprocessor stream5_global: track_tcp yes, max_tcp 8192, track_udp no
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes
#preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map  
1252
preprocessor http_inspect_server: \
preprocessor ftp_telnet: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor SMTP: \
preprocessor ssh: server_ports { 22 } \
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702  
7900 7901
7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916  
7917
7918 7919 7920 }, trustservers, noinspect_encrypted
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
preprocessor dns: ports { 53 } enable_rdata_overflow

Seems to me that the http_inspect: global is indeed set. I even modified  
the default from the latest rules
to have the full path to the unicode map, and it shows that when the code  
runs, but stops at the next section.
I was having this issue with Stream5, but I took out a comma and a slash  
and it started working past that.
(What are the rules for using the commas and the slashes?)
Thanks in advance for any help.
Redd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091201/9b233c68/attachment.html>


More information about the Snort-users mailing list