Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Snort IDS Question

  1. #11
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I have an answer, but I do not consider myself that proficient in the SNORT rules or the rational behind them ....

    I would prefer someone with more knowledge reply.

    Maybe I have had too much of the grape, but I could not find how to bump this thread ( even though I tried assigning points to it as we used to be able to,) so I included this in response in hopes it would bring attention to it.

    Although henry95's question would be better directed to the SNORT lists, I believe that many here could answer, as it is more a general question ( albeit a little more specific since the packets in question appear to be coming from within. )

    Anyone care to take a stab ?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  2. #12
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    http://www.snort.org/docs/snort_htma...00000000000000

    chunk encoding alert on chunks larger than 500000 bytes
    I am assuming this is self explanatory? If not, just search for 'chunked encoding' and read up on it. The documenation on the above page states 'This option is an anomaly detector for abnormally large chunk sizes. This picks up the Apache chunk encoding exploits, and may also alert on HTTP tunneling that uses chunk encoding.'
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #13
    Thx guys.

  4. #14
    henry,

    What this means is that you need to make an entry for each of your http servers in your http_inspect_server configuration and tune each line to the specific webserver running at the IP. (IIS + Apache have their own configs, but others need custom tuning)

    Check out the examples in your snort.conf.

  5. #15
    The alert is coming from an outbound connection. So when I visit that site, the alert comes up. But I know the site is legit, and I just filtered out alerts from it.

  6. #16
    I understand what you are saying. The reason you are getting the alerts is because you do not have your http_inspect_server lines set. Therefore the Snort process has to say "ALL traffic in OR out is mine".

    If you tell it which is YOURS then it doesn't have to analyze outbound traffic except in web-client.rules.

  7. #17
    ahh ok, I'll tinker more with it.

  8. #18
    I checked my snort.conf and this is what I have for http_inspect_Server

    Code:
    preprocessor http_inspect: global iis_unicode_map unicode.map 1252
    preprocessor http_inspect_server: server default profile all ports { 80 8080 } no_alerts
    I added no_alerts just so it would stop showing up in my logs.

  9. #19

    oookay

    That's kinda like using a sledgehammer to tap in a nail...

    Shutting off all the alerts isn't really the answer, proper tuning is. Your global line should be configured to reflect the majority of the http server present on your network. Then any deviations from that need to have their own lines. (Different ports, different server types).

    Shutting off the alerts, yes, gets rid of the alerts and just makes http_inspect normalize traffic, however, you are not seeing some of the benefit of http_inspct, in that it has its own alerting!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •