Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] Lots of http_inspect alerts - configuration hints?

from [Briggs, Bruce] Network Security [Permanent Link]
Subject: RE: [Snort-users] Lots of http_inspect alerts - configuration hints?
Date: Wed, 28 Sep 2005 13:10:34 -0400 
You can enable threshold.conf in your snort.conf and then use threshold
to stop getting these alerts, such as:
suppress gen_id 119, sig_id 2            #  http_inspect: DOUBLE
DECODING ATTACK
 
Bruce

  _____  

From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Dahlmann,
Stephan
Sent: Wednesday, September 28, 2005 4:26 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Lots of http_inspect alerts - configuration
hints?



Hi all, 

i am running an IDS with two sensors inside in our DMZ. One Sensor is
for LAN -> DMZ (Internet), one for DMZ -> LAN. 
There are 3 squids running in our network (3 locations with one network)
and 2 IIS Web Servers. 

Snort is installed from Debian Sarge package, version 2.3.1. Rules are
the standard rules, not all enabled... 

The thing is: especially the proxies are generating lots of alerts,
mostly 
(http_inspect) BARE BYTE UNICODE ENCODING 
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY 
(http_inspect) OVERSIZE CHUNK ENCODING 
and some more. 

I figured out that there are several possibilities to configure or
disable http_inspect preprocessor, but some just don't work... 

Here is an extract from my snort.conf.eth1 which is LAN -> DMZ 

------ 

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500 


# IIS webserver inspect rule 
preprocessor http_inspect_server: server 10.0.0.80 ports { 80 81 }
bare_byte no oversize_dir_length 600 

# proxy-2 rule 
preprocessor http_inspect_server: server 10.0.0.90 ports { 8080 }
bare_byte no 

# proxy 3 rule 
preprocessor http_inspect_server: server  10.0.0.70 ports { 80 8080 }
bare_byte no oversize_dir_length 600 

# MS ISA server which will replace all three squids 
preprocessor http_inspect_server: server 10.0.0.100 ports { 8080 }
bare_byte no oversize_dir_length 800 

----- 

As you see i already set the oversize_dir_length to 600! But still
getting alerts... 

I suppose it's hard to say if i misconfigured something cause u don't
know my network, but some hints or 
explanations to the meaning and occasion of the alerts would be great...


thanks in advance, 
stephan
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Will Snort understand something like this?, Hin
Next by Date:  [Snort-users] Managing multiple sensors ?, Alexandre Ahmim-Richard
Previous by Thread:  [Snort-users] Lots of http_inspect alerts - configuration hints?, Dahlmann, Stephan
Next by Thread:  [Snort-users] Policy VNC server response, Hin
Indexes:  [Date] [Thread] [Top] [All Lists]