Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Example Up: HTTP Inspect Previous: Example IP Configuration   Contents

Server Configuration Options

Important: Some configuration options have an argument of `yes' or `no'. This argument specifies whether the user wants the configuration option to generate an HTTP Inspect alert or not. The `yes/no' argument does not specify whether the configuration option itself is on or off, only the alerting functionality. In other words, whether set to `yes' or 'no', HTTP normalization will still occur, and rules based on HTTP traffic will still trigger.

25.
profile $<$all$\vert$apache$\vert$iis$>$

Users can configure HTTP Inspect by using pre-defined HTTP server profiles. Profiles allow the user to easily configure the preprocessor for a certain type of server, but are not required for proper operation.

There are three profiles available: all, apache, and iis.

24-A.
all

The all profile is meant to normalize the URI using most of the common tricks available. We alert on the more serious forms of evasions. This is a great profile for detecting all types of attacks, regardless of the HTTP server. profile all sets the configuration options described in Table 2.7.


Table 2.7: Options for the ``all'' Profile
Option Setting
flow_depth 300
chunk encoding alert on chunks larger than 500000 bytes
iis_unicode_map codepoint map in the global configuration
ascii decoding on, alert off
multiple slash on, alert off
directory normalization on, alert off
apache whitespace on, alert off
double decoding on, alert on
%u decoding on, alert on
bare byte decoding on, alert on
iis unicode codepoints on, alert on
iis backslash on, alert off
iis delimiter on, alert off
webroot on, alert on
non_strict URL parsing on
tab_uri_delimiter is set

24-B.
apache

The apache profile is used for Apache web servers. This differs from the iis profile by only accepting UTF-8 standard Unicode encoding and not accepting backslashes as legitimate slashes, like IIS does. Apache also accepts tabs as whitespace. profile apache sets the configuration options described in Table 2.8.


Table 2.8: Options for the apache Profile
Option Setting
flow_depth 300
chunk encoding alert on chunks larger than 500000 bytes
ascii decoding on, alert off
multiple slash on, alert off
directory normalization on, alert off
webroot on, alert on
apache whitespace on, alert on
utf_8 encoding on, alert off
non_strict url parsing on
tab_uri_delimiter is set

24-C.
iis

The iis profile mimics IIS servers. So that means we use IIS Unicode codemaps for each server, %u encoding, bare-byte encoding, double decoding, backslashes, etc. profile iis sets the configuration options described in Table 2.9.


Table 2.9: Options for the iis Profile
Option Setting
flow_depth 300
chunk encoding alert on chunks larger than 500000 bytes
iis_unicode_map codepoint map in the global configuration
ascii decoding on, alert off
multiple slash on, alert off
directory normalization on, alert off
webroot on, alert on
double decoding on, alert on
%u decoding on, alert on
bare byte decoding on, alert on
iis unicode codepoints on, alert on
iis backslash on, alert off
iis delimiter on, alert on
apache whitespace on, alert on
non_strict URL parsing on

The default options used by HTTP Inspect do not use a profile and are described in Table 2.10.


Table 2.10: Default HTTP Inspect Options
Option Setting
port 80
flow_depth 300
chunk encoding alert on chunks larger than 500000 bytes
ascii decoding on, alert off
utf_8 encoding on, alert off
multiple slash on, alert off
directory normalization on, alert off
webroot on, alert on
iis backslash on, alert off
apache whitespace on, alert off
iis delimiter on, alert off
non_strict URL parsing on
max_header_length alert off

Profiles must be specified as the first server option and cannot be combined with any other options except:
  • ports
  • iis_unicode_map
  • allow_proxy_use
  • flow_depth
  • no_alerts
  • inspect_uri_only
  • oversize_dir_length
These options must be specified after the profile option.

next up previous contents
Next: Example Up: HTTP Inspect Previous: Example IP Configuration   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.