[Snort-users] Use of iis_unicode_map in HTTP Inspect on Linux IDS host
research at ...17107...
Sat Feb 28 18:43:06 EST 2015
I had a question involving an option to the global setting of the HTTP inspect pre-processor in snort 188.8.131.52.
The default setting for the global settings for this pre-processor in snort.conf are:
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
I see that iis_unicode_map unicode.map 1252 refers to the unicode.map file in /etc/snort and is using codepage 1252, but I was wondering if this is necessary if the host that Snort is running on is using Linux and Apache ? Do I have to adjust that accordingly ? I am doubly unsure because I note in the PDF of the manual on page 60 the following:
"The iis unicode map is a required configuration parameter.”
…which makes me think it applies to *ANY* HTTP server. As a consequence, I have left it as a default setting but am wondering if it could and should be modified.
More information about the Snort-users