RE: Ok, Ok - I know - http_inspect

[Snortty <cwcwcwg () yahoo com>]

It's true that one can not specify a subnet, but singe
IP or global. 

But, I want to use inspect_uri_only enabled for ALL
http_inspect alerts, can only make it work if I enter
an IP address to replace default sever 1.1.1.1. 

It won't work if I put it like (in snort.conf):

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252
    inspect_uri_only

snort won't run, and detect error due to this line. 

Can anyone tell me how to enable this 

inspect_uri_only

for ALL http_inspect alerts (so no such alerts will be
logged except uricontent inspection please?

THANK YOU!
Sty

--- SN ORT <snort_on_acid () yahoo com> wrote:
> I don't believe you will be able to specify a
> subnet.
> I tried that awhile ago and couldn't get it to work.
> It's either global or server-specific.
>
> Cheese!
>
> Marc
>
> --__--__--
>
> Message: 1
> From: "Rowland, Krisa W ERDC-ITL-MS Contractor"
>        <Krisa.W.Rowland () erdc usace army mil>
> To: "'Snort-users () lists sourceforge net'"
>        <Snort-users () lists sourceforge net>
> Date: Wed, 16 Jun 2004 10:53:56 -0500
> Subject: [Snort-users] Ok, Ok - I know -
> http_inspect
>
> This message is in MIME format. Since your mail
> reader
> does not understand
> this format, some or all of this message may not be
> legible.
>
> ------_=_NextPart_001_01C453BA.219029D8
> Content-Type: text/plain
>
> I know I'm going to get slaughtered for even
> bringing
> up the subject of
> http_inspect.  I've read through the old posts, and
> also read through the
> manual.  I'm hoping that someone can offer
> clarification or guidance on
> this, though.  I do not want to disable this option
> -
> but at the moment I'm
> going to have to - just pouring out too many alerts.
>
> I tried to limit these alerts to only my webfarm
> subnet by doing this:
>
> preprocessor http_inspect_server: server x.x.x.0/8 \
>     profile all ports { 80 8080 8180 }
> oversize_dir_length 500
>
> But it didn't like that.  I'd just like to restrict
> these alerts to one
> subnet - how do I do that?
>
> Shouldn't I use the all profile if I'm pretty sure
> that I have apache and
> IIS servers?
>
> Krisa Rowland
> <snip>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
-------------------------------------------------------
> This SF.Net email is sponsored by The 2004
> JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's
> Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center
> in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf
> Priority Code NWMGYKND
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users