[Snort-users] http_inspect_server syntax error ?

Research research at ...17107...
Sun Mar 1 14:02:53 EST 2015


On Mar 1, 2015, at 1:34 PM, Y M <snort at ...15979...> wrote:

> I think you still need to specify a "default" http_inspect policy (correct me if I am wrong), although I could not find a reference to support that in the documentation (again, correct me if I am wrong). For example, the below works:
> 
> preprocessor http_inspect_server: server default profile apache ports { 80 }
> preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 }
> 
> > From: research at ...17107...
> > Date: Sun, 1 Mar 2015 12:25:03 -0500
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] http_inspect_server syntax error ?
> > 
> > Hi,
> > 
> > I am currently trying to configure the: http_inspect_server preprocessor options.
> > 
> > As a minimalist approach, I have:
> > 
> > preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 }
> > 
> > I am aiming to have the options:
> > 
> > server 1.2.3.4	 My web server IP address
> > profile apache	 My web server is Apache
> > ports { 80 } …running HTTP on port 80
> > 
> > However, when I attempt to launch Snort, I receive the following error:
> > 
> > Verifying Preprocessor Configurations!
> > HttpInspectConfigCheck() default server configuration not specified
> > Fatal Error, Quitting..
> > 
> > …which seems to apply it wants a profile of default.
> > 
> > What am I doing wrong ?
> > 
> > Thanks

I agree.  If I put the following:
	
	# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
	preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
	preprocessor http_inspect_server: server default profile apache ports { 80 }
	preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 }

…then I have success!  Snort is happy and runs.

However, I’d like to customize some of the parameters.  If I insert what you mentioned and then try and set some specific settings via the defaults in snort.conf, I get errors.

So if I have:

	# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
	preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
	preprocessor http_inspect_server: server default profile apache ports { 80 }
	preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 } \
	chunk_length 500000 \
	server_flow_depth 0 \

	(snip)...

…it seems that it does not like the options I am editing which were in the original snort.conf file (i.e. I haven’t added any options, just changing some from “no” to “yes”, etc.).

My hypothesis is that I can’t change some settings when the profile is Apache and the snort.conf parser is halting on that.  Is that correct ?

Thanks for your help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150301/44ae4e04/attachment.html>


More information about the Snort-users mailing list