[Snort-users] http_inspect firing, despite no_alerts, suppression

Bhagya Bantwal bbantwal at ...1935...
Tue May 11 09:58:45 EDT 2010


no_alerts should disable all preprocessor alerts for http_inspect. I will
file a bug for tracking this and it will be fixed in the next snort version.

Thanks for reporting this issue.

-B
On Mon, May 10, 2010 at 5:22 PM, Erik <snort at ...14867...> wrote:

> Sorry, I meant to include that.
>
> # snort -V
>
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.8.5.3 (Build 124)  FreeBSD
>   ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>           Using PCRE version: 7.9 2009-04-11
>
>
> On Mon, May 10, 2010 at 05:19:59PM -0400, Joel Esler wrote:
> >    What version of Snort is this?  Just to be clear.
> >
> >    J
> >    On Mon, May 10, 2010 at 3:02 PM, Erik <[1]snort at ...14867...> wrote:
> >
> >      I'm seeing http_inspect events trigger despite my attempts at
> >      disabling such alerts.
> >      # uname -v
> >      FreeBSD 7.2-RELEASE-p4 #0: Fri Oct  2 08:22:32 UTC 2009
> >      root at ...14866...:/usr/obj/usr/src/sys/GENERIC
> >      Command line:
> >      /usr/local/bin/snort -i bridge0 -c /usr/local/etc/snort/snort.conf
> >      -A fast -q -D -c /usr/local/etc/snort/snort.conf
> >      #grep http_inspect /usr/local/etc/snort/snort.conf
> >      preprocessor http_inspect: global \
> >         iis_unicode_map unicode.map 1252
> >      preprocessor http_inspect_server: server default \
> >         profile all ports { 80 8080 8180 } oversize_dir_length 500
> >      no_alerts
> >      Shouldn't this prevent alerts since I don't have any other server
> >      definitions?  I'm still getting MULTIPLE CONTENT LENGTH hits every
> >      once in a while.
> >      Erik
> >      --------------------------------------------------------------------
> >      ----------
> >      _______________________________________________
> >      Snort-users mailing list
> >      [2]Snort-users at lists.sourceforge.net
> >      Go to this URL to change user options or unsubscribe:
> >      [3]https://lists.sourceforge.net/lists/listinfo/snort-users
> >      Snort-users list archive:
> >      [4]http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > References
> >
> >    1. mailto:snort at ...14867...
> >    2. mailto:Snort-users at lists.sourceforge.net
> >    3. https://lists.sourceforge.net/lists/listinfo/snort-users
> >    4. http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> On Mon, May 10, 2010 at 05:19:59PM -0400, Joel Esler wrote:
> >    What version of Snort is this?  Just to be clear.
> >
> >    J
> >    On Mon, May 10, 2010 at 3:02 PM, Erik <[1]snort at ...14867...> wrote:
> >
> >      I'm seeing http_inspect events trigger despite my attempts at
> >      disabling such alerts.
> >      # uname -v
> >      FreeBSD 7.2-RELEASE-p4 #0: Fri Oct  2 08:22:32 UTC 2009
> >      root at ...14866...:/usr/obj/usr/src/sys/GENERIC
> >      Command line:
> >      /usr/local/bin/snort -i bridge0 -c /usr/local/etc/snort/snort.conf
> >      -A fast -q -D -c /usr/local/etc/snort/snort.conf
> >      #grep http_inspect /usr/local/etc/snort/snort.conf
> >      preprocessor http_inspect: global \
> >         iis_unicode_map unicode.map 1252
> >      preprocessor http_inspect_server: server default \
> >         profile all ports { 80 8080 8180 } oversize_dir_length 500
> >      no_alerts
> >      Shouldn't this prevent alerts since I don't have any other server
> >      definitions?  I'm still getting MULTIPLE CONTENT LENGTH hits every
> >      once in a while.
> >      Erik
> >      --------------------------------------------------------------------
> >      ----------
> >      _______________________________________________
> >      Snort-users mailing list
> >      [2]Snort-users at lists.sourceforge.net
> >      Go to this URL to change user options or unsubscribe:
> >      [3]https://lists.sourceforge.net/lists/listinfo/snort-users
> >      Snort-users list archive:
> >      [4]http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > References
> >
> >    1. mailto:snort at ...14867...
> >    2. mailto:Snort-users at lists.sourceforge.net
> >    3. https://lists.sourceforge.net/lists/listinfo/snort-users
> >    4. http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100511/b6732bab/attachment.html>


More information about the Snort-users mailing list