[Snort-users] Use of iis_unicode_map in HTTP Inspect on Linux IDS host

Research research at ...17107...
Sat Feb 28 20:27:21 EST 2015


Ok great - thank you.

On Feb 28, 2015, at 7:21 PM, Joel Esler (jesler) <jesler at ...589...> wrote:

> That’s the part I was writing about.  I’d just go with apache if that’s all you are running.  
> 
> 
>> On Feb 28, 2015, at 7:00 PM, Research <research at ...17107...> wrote:
>> 
>> Hi,
>> 
>> Ok per server configuration . . . currently I have:
>> 
>> 	preprocessor http_inspect_server: server 1.2.3.4 profile all ports { 80 }
>> 
>> I have a profile of “all” instead of “apache” because I read in the manual that “all” is:
>> 
>> 	"This is a great profile for detecting all types of attacks, regardless of the HTTP server.”
>> 
>> …but that should be specified as “apache”, or am I referring to the wrong part of snort.conf ?
>> 
>> Thanks
>> 
>> On Feb 28, 2015, at 6:56 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
>> 
>>> You don’t need to adjust that part (if I understand your question correctly), you do, however, need to have a per server apache configuration line for http_inspect
>>> 
>>> 
>>>> On Feb 28, 2015, at 6:43 PM, Research <research at ...17107...> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> I had a question involving an option to the global setting of the HTTP inspect pre-processor in snort 2.9.7.0.
>>>> 
>>>> The default setting for the global settings for this pre-processor in snort.conf are:
>>>> 
>>>> 	preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
>>>> 
>>>> I see that iis_unicode_map unicode.map 1252 refers to the unicode.map file in /etc/snort and is using codepage 1252, but I was wondering if this is necessary if the host that Snort is running on is using Linux and Apache ?  Do I have to adjust that accordingly ?  I am doubly unsure because I note in the PDF of the manual on page 60 the following:
>>>> 
>>>> 	"The iis unicode map is a required configuration parameter.”
>>>> 
>>>> …which makes me think it applies to *ANY* HTTP server.  As a consequence, I have left it as a default setting but am wondering if it could and should be modified.
>>>> 
>>>> Thanks




More information about the Snort-users mailing list