Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: http_inspect config options?

From: Rich Adamson <radamson () routers com>
Date: Sun, 27 Feb 2005 07:45:17 -0600
Okay, tried that, and regardless of how I format the line, snort responds
with:
ERROR: E:\snort-v2-3\etc\snort.conf(306) => Invalid token while configuring the
profile token.  The only allowed tokens when configuring profiles are: 'ports',
'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l
ength', and 'inspect_uri_only'.
Fatal Error, Quitting..

That obviously implies "double_decode" is not an acceptable token. Looks
like a bug in win32 snort v2.3rc2 at least.

Removing the double_decode keyword allows snort to run as normal.

Rich

----------------------------

You might want to try editing the line?

preprocessor http_inspect_server: server 10.1.0.3 profile iis ports { 80
8080 8180 } oversize_dir_length 500 double_decode no

Kindest regards, 
Michael...

WINSNORT.com Management Team Member
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of Rich Adamson
Sent: Saturday, February 26, 2005 4:56 AM
To: Snort Users Postings
Subject: [Snort-users] http_inspect config options?


I'm trying to tune the http_inspect preprocessor on a v2.3rc2 win32
system using an entry like:

preprocessor http_inspect_server: server 10.1.0.3 \
    profile iis ports { 80 8080 8180 } oversize_dir_length 500 \
    double_decode no

After making the change to include the "double_decode no" statement,
snort fails to start complain about that statement. Commenting it
out allows snort to start correctly.

The doc\README.http_inspect file suggests this is a valid option,
but I can't seem to find a syntax that actually is accepted. The
sample in the etc\snort.conf suggests I'm using the correct syntax
but obviously something is amiss.

Thoughts anyone?





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users








-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


---------------End of Original Message-----------------




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: