|
version 1.23, 2008/03/04 20:11:18
|
version 1.24, 2008/06/16 18:35:16
|
|
|
|
| HttpInspect | HttpInspect |
| ----------- | ----------- |
| Daniel Roelker <droelker@sourcefire.com> |
Originally authored by Daniel Roelker |
| |
Updated by members of Snort Team |
| | |
| -- Overview -- | -- Overview -- |
| HttpInspect is a generic HTTP decoder for user applications. Given a data | HttpInspect is a generic HTTP decoder for user applications. Given a data |
| buffer, HttpInspect will decode the buffer, find HTTP fields, and normalize | buffer, HttpInspect will decode the buffer, find HTTP fields, and normalize |
| the fields. HttpInspect works on both client requests and server responses. | the fields. HttpInspect works on both client requests and server responses. |
| | |
| The initial version of HttpInspect only handled stateless processing. The |
The current version of HTTP Inspect only handles stateless processing. This |
| stateless version of HttpInspect looks for HTTP fields on a packet by packet |
means that HTTP Inspect looks for HTTP fields on a packet-by-packet basis, and |
| basis, and will be fooled if packets are not reassembled. This works fine |
will be fooled if packets are not reassembled. This works fine when there is |
| when there is another module handling the reassembly, but there are |
another module handling the reassembly, but there are limitations in analyzing |
| limitations in analyzing the protocol. |
the protocol. Future versions will have a stateful processing mode which will |
| |
hook into various reassembly modules. |
| | |
| - Configuration -- | - Configuration -- |
| HttpInspect has a very "rich" user configuration. Users can configure | HttpInspect has a very "rich" user configuration. Users can configure |
|
|
|
| - ports | - ports |
| - iis_unicode_map | - iis_unicode_map |
| - allow_proxy_use | - allow_proxy_use |
| - flow_depth |
- server_flow_depth |
| |
- client_flow_depth |
| - no_alerts | - no_alerts |
| - inspect_uri_only | - inspect_uri_only |
| - oversize_dir_length | - oversize_dir_length |
| |
- normalize_headers |
| |
- normalize_cookies |
| These options must be specified after the 'profile' option. | These options must be specified after the 'profile' option. |
| | |
| Example: | Example: |
|
|
|
| code page by looking at the available code pages that the ms_unicode_generator | code page by looking at the available code pages that the ms_unicode_generator |
| outputs. | outputs. |
| | |
| * flow_depth [integer] * |
* server_flow_depth [integer] * |
| |
* flow_depth [integer] * (to be deprecated) |
| This specifies the amount of server response payload to inspect. This option | This specifies the amount of server response payload to inspect. This option |
| significantly increases IDS performance because we are ignoring a large part of | significantly increases IDS performance because we are ignoring a large part of |
| the network traffic (HTTP server response payloads). A small percentage of | the network traffic (HTTP server response payloads). A small percentage of |
|
|
|
| Note that the 1460 byte maximum flow_depth applies to stream | Note that the 1460 byte maximum flow_depth applies to stream |
| reassembled packets as well. | reassembled packets as well. |
| | |
| |
* client_flow_depth [integer] * |
| |
This specifies the amount of raw client request payload to inspect. It is |
| |
similar to server_flow_depth (above), and has a default value of 300. It |
| |
primarily eliminates Snort fro inspecting larger HTTP Cookies that appear |
| |
at the end of many client request Headers. |
| |
|
| * ascii [yes/no] * | * ascii [yes/no] * |
| The ASCII decode option tells us whether to decode encoded ASCII chars, a.k.a | The ASCII decode option tells us whether to decode encoded ASCII chars, a.k.a |
| %2f = /, %2e = ., etc. I suggest you don't log alerts for ASCII since it is | %2f = /, %2e = ., etc. I suggest you don't log alerts for ASCII since it is |
|
|
|
| 'inspect_uri_only' configuration turns off all forms of detection except | 'inspect_uri_only' configuration turns off all forms of detection except |
| uricontent inspection. | uricontent inspection. |
| | |
| * max_header_length * |
* max_header_length [positive integer] * |
| This option takes an interger as an argument. The integer is the maximum length | This option takes an interger as an argument. The integer is the maximum length |
| allowed for an HTTP client request header field. Requests that exceed this | allowed for an HTTP client request header field. Requests that exceed this |
| length will cause a "Long Header" alert. This alert is off by default. To | length will cause a "Long Header" alert. This alert is off by default. To |
|
|
|
| with, the whitespace_chars option. For more details on its use, see the | with, the whitespace_chars option. For more details on its use, see the |
| whitespace_chars section above. | whitespace_chars section above. |
| | |
| |
* normalize_headers * |
| |
This option turns on normalization for HTTP Header Fields, not including |
| |
Cookies (using the same configuration parameters as the URI normalization (ie, |
| |
multi-slash, directory, etc.). It is useful for normalizing Referrer URIs |
| |
that may appear in the HTTP Header. |
| |
|
| |
* normalize_cookies * |
| |
This option turns on normalization for HTTP Cookie Fields (using the same |
| |
configuration parameters as the URI normalization (ie, multi-slash, directory, |
| |
etc.). It is useful for normalizing data in HTTP Cookies that may be |
| |
encoded. |
| |
|
| --Options Available Under Stateful Inspection-- | --Options Available Under Stateful Inspection-- |
| | |
| * base64 [yes/no] * | * base64 [yes/no] * |
|
|
|
| | |
| * Apache * | * Apache * |
| | |
| flow_depth 300 |
server_flow_depth 300 |
| non_strict URL parsing is set | non_strict URL parsing is set |
| chunk encoding (alert on chunks larger than 500000 bytes) | chunk encoding (alert on chunks larger than 500000 bytes) |
| ascii decoding is on (alert off) | ascii decoding is on (alert off) |
|
|
|
| | |
| * IIS * | * IIS * |
| | |
| flow_depth 300 |
server_flow_depth 300 |
| non_strict URL parsing is set | non_strict URL parsing is set |
| chunk encoding (alert on chunks larger than 500000 bytes) | chunk encoding (alert on chunks larger than 500000 bytes) |
| iis_unicode_map is set to the codepoint map in the global configuration | iis_unicode_map is set to the codepoint map in the global configuration |
|
|
|
| | |
| * IIS4_0 and IIS5_0 * | * IIS4_0 and IIS5_0 * |
| | |
| flow_depth 300 |
server_flow_depth 300 |
| non_strict URL parsing is set | non_strict URL parsing is set |
| chunk encoding (alert on chunks larger than 500000 bytes) | chunk encoding (alert on chunks larger than 500000 bytes) |
| iis_unicode_map is set to the codepoint map in the global configuration | iis_unicode_map is set to the codepoint map in the global configuration |
|
|
|
| | |
| * All * | * All * |
| | |
| flow_depth 300 |
server_flow_depth 300 |
| non_strict URL parsing is set | non_strict URL parsing is set |
| chunk encoding (alert on chunks larger than 500000 bytes) | chunk encoding (alert on chunks larger than 500000 bytes) |
| iis_unicode_map is set to the codepoint map in the global configuration | iis_unicode_map is set to the codepoint map in the global configuration |
|
|
|
| The following lists the defaults: | The following lists the defaults: |
| | |
| Port 80 | Port 80 |
| flow_depth 300 |
server_flow_depth 300 |
| |
client_flow_depth 300 |
| non_strict URL parsing is set | non_strict URL parsing is set |
| chunk encoding (alert on chunks larger than 500000 bytes) | chunk encoding (alert on chunks larger than 500000 bytes) |
| ascii decoding is on (alert off) | ascii decoding is on (alert off) |
Return to
README.http_inspect
CVS log
Up to [cvs] / snort / doc