[Snort-users] http_inspect firing, despite no_alerts, suppression

Joel Esler jesler at ...1935...
Mon May 10 17:19:59 EDT 2010


What version of Snort is this?  Just to be clear.

J

On Mon, May 10, 2010 at 3:02 PM, Erik <snort at ...14867...> wrote:

> I'm seeing http_inspect events trigger despite my attempts at
> disabling such alerts.
>
> # uname -v
> FreeBSD 7.2-RELEASE-p4 #0: Fri Oct  2 08:22:32 UTC 2009
> root at ...14866...:/usr/obj/usr/src/sys/GENERIC
>
> Command line:
> /usr/local/bin/snort -i bridge0 -c /usr/local/etc/snort/snort.conf -A fast
> -q -D -c /usr/local/etc/snort/snort.conf
>
> #grep http_inspect /usr/local/etc/snort/snort.conf
>
> preprocessor http_inspect: global \
>    iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
>    profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts
>
>
> Shouldn't this prevent alerts since I don't have any other server
> definitions?  I'm still getting MULTIPLE CONTENT LENGTH hits every
> once in a while.
>
> Erik
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100510/1dea41b0/attachment.html>


More information about the Snort-users mailing list