[Snort-users] Use of iis_unicode_map in HTTP Inspect on Linux IDS host

Research research at ...17107...
Sat Feb 28 19:00:33 EST 2015


Hi,

Ok per server configuration . . . currently I have:

	preprocessor http_inspect_server: server 1.2.3.4 profile all ports { 80 }

I have a profile of “all” instead of “apache” because I read in the manual that “all” is:

	"This is a great profile for detecting all types of attacks, regardless of the HTTP server.”

…but that should be specified as “apache”, or am I referring to the wrong part of snort.conf ?

Thanks

On Feb 28, 2015, at 6:56 PM, Joel Esler (jesler) <jesler at ...589...> wrote:

> You don’t need to adjust that part (if I understand your question correctly), you do, however, need to have a per server apache configuration line for http_inspect
> 
> 
>> On Feb 28, 2015, at 6:43 PM, Research <research at ...17107...> wrote:
>> 
>> Hi,
>> 
>> I had a question involving an option to the global setting of the HTTP inspect pre-processor in snort 2.9.7.0.
>> 
>> The default setting for the global settings for this pre-processor in snort.conf are:
>> 
>> 	preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
>> 
>> I see that iis_unicode_map unicode.map 1252 refers to the unicode.map file in /etc/snort and is using codepage 1252, but I was wondering if this is necessary if the host that Snort is running on is using Linux and Apache ?  Do I have to adjust that accordingly ?  I am doubly unsure because I note in the PDF of the manual on page 60 the following:
>> 
>> 	"The iis unicode map is a required configuration parameter.”
>> 
>> …which makes me think it applies to *ANY* HTTP server.  As a consequence, I have left it as a default setting but am wondering if it could and should be modified.
>> 
>> Thanks
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the 
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 





More information about the Snort-users mailing list