[Snort-users] http_inspect firing, despite no_alerts, suppression

Erik snort at ...14867...
Mon May 10 17:22:38 EDT 2010


Sorry, I meant to include that.

# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.3 (Build 124)  FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.9 2009-04-11


On Mon, May 10, 2010 at 05:19:59PM -0400, Joel Esler wrote:
>    What version of Snort is this?  Just to be clear.
> 
>    J
>    On Mon, May 10, 2010 at 3:02 PM, Erik <[1]snort at ...14867...> wrote:
> 
>      I'm seeing http_inspect events trigger despite my attempts at
>      disabling such alerts.
>      # uname -v
>      FreeBSD 7.2-RELEASE-p4 #0: Fri Oct  2 08:22:32 UTC 2009
>      root at ...14866...:/usr/obj/usr/src/sys/GENERIC
>      Command line:
>      /usr/local/bin/snort -i bridge0 -c /usr/local/etc/snort/snort.conf
>      -A fast -q -D -c /usr/local/etc/snort/snort.conf
>      #grep http_inspect /usr/local/etc/snort/snort.conf
>      preprocessor http_inspect: global \
>         iis_unicode_map unicode.map 1252
>      preprocessor http_inspect_server: server default \
>         profile all ports { 80 8080 8180 } oversize_dir_length 500
>      no_alerts
>      Shouldn't this prevent alerts since I don't have any other server
>      definitions?  I'm still getting MULTIPLE CONTENT LENGTH hits every
>      once in a while.
>      Erik
>      --------------------------------------------------------------------
>      ----------
>      _______________________________________________
>      Snort-users mailing list
>      [2]Snort-users at lists.sourceforge.net
>      Go to this URL to change user options or unsubscribe:
>      [3]https://lists.sourceforge.net/lists/listinfo/snort-users
>      Snort-users list archive:
>      [4]http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> References
> 
>    1. mailto:snort at ...14867...
>    2. mailto:Snort-users at lists.sourceforge.net
>    3. https://lists.sourceforge.net/lists/listinfo/snort-users
>    4. http://www.geocrawler.com/redir-sf.php3?list=snort-users

On Mon, May 10, 2010 at 05:19:59PM -0400, Joel Esler wrote:
>    What version of Snort is this?  Just to be clear.
> 
>    J
>    On Mon, May 10, 2010 at 3:02 PM, Erik <[1]snort at ...14867...> wrote:
> 
>      I'm seeing http_inspect events trigger despite my attempts at
>      disabling such alerts.
>      # uname -v
>      FreeBSD 7.2-RELEASE-p4 #0: Fri Oct  2 08:22:32 UTC 2009
>      root at ...14866...:/usr/obj/usr/src/sys/GENERIC
>      Command line:
>      /usr/local/bin/snort -i bridge0 -c /usr/local/etc/snort/snort.conf
>      -A fast -q -D -c /usr/local/etc/snort/snort.conf
>      #grep http_inspect /usr/local/etc/snort/snort.conf
>      preprocessor http_inspect: global \
>         iis_unicode_map unicode.map 1252
>      preprocessor http_inspect_server: server default \
>         profile all ports { 80 8080 8180 } oversize_dir_length 500
>      no_alerts
>      Shouldn't this prevent alerts since I don't have any other server
>      definitions?  I'm still getting MULTIPLE CONTENT LENGTH hits every
>      once in a while.
>      Erik
>      --------------------------------------------------------------------
>      ----------
>      _______________________________________________
>      Snort-users mailing list
>      [2]Snort-users at lists.sourceforge.net
>      Go to this URL to change user options or unsubscribe:
>      [3]https://lists.sourceforge.net/lists/listinfo/snort-users
>      Snort-users list archive:
>      [4]http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> References
> 
>    1. mailto:snort at ...14867...
>    2. mailto:Snort-users at lists.sourceforge.net
>    3. https://lists.sourceforge.net/lists/listinfo/snort-users
>    4. http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list