[Snort-users] Use of iis_unicode_map in HTTP Inspect on Linux IDS host

Research research at ...17107...
Sat Feb 28 18:43:06 EST 2015


I had a question involving an option to the global setting of the HTTP inspect pre-processor in snort

The default setting for the global settings for this pre-processor in snort.conf are:

	preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535

I see that iis_unicode_map unicode.map 1252 refers to the unicode.map file in /etc/snort and is using codepage 1252, but I was wondering if this is necessary if the host that Snort is running on is using Linux and Apache ?  Do I have to adjust that accordingly ?  I am doubly unsure because I note in the PDF of the manual on page 60 the following:

	"The iis unicode map is a required configuration parameter.”

…which makes me think it applies to *ANY* HTTP server.  As a consequence, I have left it as a default setting but am wondering if it could and should be modified.


More information about the Snort-users mailing list