I am trying to tune my new Snort box. I am getting a number of false positive alerts related to the http_inspect preproccessor. The alerts are associated with outgoing traffic from my users going to various websites and not incoming traffic to my webserver. In addition, we are only allowing inbound SSL connections for our web mail. These are the alerts that are being triggered:
http_inspect: BARE BYTE UNICODE ENCODING
http_inspect: DOUBLE DECODING ATTACK
http_inspect: IIS UNICODE CODEPOINT ENCODING
If I edit the snort.conf file with something like this:
preprocessor http_inspect_server: server default \
ports { 80 3128 } \
non_strict \
non_rfc_char { 0x00 } \
flow_depth 300 \
bare_byte no \
double_decode no \
iis_unicode no \
Will this eliminate the alerts I am getting? Also, will it impact the processing down the line for the rules I've enabled? As I understand it, the http_inspect preproccessor also assists with the detection of rule violations enabled in the snort.conf file as well. In general, I want to limit the numerous false positives I am getting, but not at the expense of somewhat crippling the effectiveness of the IDS.
Thanks!
Start Free Trial
