I am trying to tune my new Snort box. I am getting a number of false
positive alerts related to the http_inspect preproccessor. The alerts are
associated with outgoing traffic from my users going to various websites and
not incoming traffic to my webserver. In addition, we are only allowing
inbound SSL connections for our web mail. These are the alerts that are
being triggered:
http_inspect: BARE BYTE UNICODE ENCODING
http_inspect: DOUBLE DECODING ATTACK
http_inspect: IIS UNICODE CODEPOINT ENCODING
If I edit the snort.conf file with something like this:
preprocessor http_inspect_server: server default \
ports { 80 3128 } \
non_strict \
non_rfc_char { 0x00 } \
flow_depth 300 \
bare_byte no \
double_decode no \
iis_unicode no \
Will this eliminate the alerts I am getting? Also, will it impact the
processing down the line for the rules I've enabled? As I understand it,
the http_inspect preproccessor also assists with the detection of rule
violations enabled in the snort.conf file as well. In general, I want to
limit the numerous false positives I am getting, but not at the expense of
somewhat crippling the effectiveness of the IDS.
Thanks!
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
