[Snort-users] HTTP inspect problem

Nigel Houghton nhoughton at ...1935...
Tue Dec 1 15:23:26 EST 2009


On Tue, Dec 1, 2009 at 2:59 PM,  <redwookie at ...11827...> wrote:
> Hey all - relative noob issue, but I cannot locate an answer anywhere else.
> Been fighting with issues in the snort.conf file, and I cannot get past it.
> Working with Snort 2.8.5.1 on Win2003 with IDScenter 1.1 rc4.
> Error is "Must configure the HTTP inspect global configuration first."
>
> Here's the relevant section from my snort.conf file:
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy windows timeout 180
> preprocessor stream5_global: track_tcp yes, max_tcp 8192, track_udp no
> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes
> #preprocessor stream5_udp: ignore_any_rules
> preprocessor http_inspect: global iis_unicode_map c:\snort\etc\unicode.map
> 1252
> preprocessor http_inspect_server: \
> preprocessor ftp_telnet: \
> preprocessor ftp_telnet_protocol: \
> preprocessor ftp_telnet_protocol: \
> preprocessor ftp_telnet_protocol: \
> preprocessor SMTP: \
> preprocessor ssh: server_ports { 22 } \
> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900
> 7901
> 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916
> 7917
> 7918 7919 7920 }, trustservers, noinspect_encrypted
> preprocessor dcerpc2: memcap 102400, events [co ]
> preprocessor dcerpc2_server: default, policy WinXP, \
> preprocessor dns: ports { 53 } enable_rdata_overflow
>
> Seems to me that the http_inspect: global is indeed set. I even modified the
> default from the latest rules
> to have the full path to the unicode map, and it shows that when the code
> runs, but stops at the next section.
> I was having this issue with Stream5, but I took out a comma and a slash and
> it started working past that.
> (What are the rules for using the commas and the slashes?)
> Thanks in advance for any help.
> Redd
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


The snort.conf looks a little weird. Not sure if those "c:\" windows
paths cause problems with parsing since "\" is used to escape line
endings for multiple lines in the config. I don't use Windows at all,
so I have no testbed to help out here.

Also, on a related note, the "\" in the rest of the snippet are
escaping line endings when they aren't needed. Did you try editing the
file by hand, i.e. constructing it yourself from the default
snort.conf in the Snort tarball?

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list