{"id":374,"date":"2013-01-29T00:56:00","date_gmt":"2013-01-28T16:56:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=374"},"modified":"2025-07-27T18:26:17","modified_gmt":"2025-07-27T10:26:17","slug":"snort-preprocessor-http_inspect","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/374","title":{"rendered":"Snort preprocessor http_inspect"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>http_inspect<\/strong><\/h2>\n\n\n\n<p>http_inspect\u662f\u7528\u5728\u4f7f\u7528\u8005\u61c9\u7528\u7a0b\u5f0f\u7684http\u89e3\u78bc\u5668,<br>\u6307\u5b9a\u4e00\u500b\u8cc7\u6599\u7de9\u885d\u5340,http_inspect\u6703\u5728\u7de9\u885d\u5340\u5167\u89e3\u78bc,\u4ee5\u53d6\u5f97http\u7684\u6b04\u4f4d\u4e26\u4f9d\u6a19\u6e96\u53d6\u5f97\u6b04\u4f4d\u5167\u5bb9<br>http_inspect\u904b\u4f5c\u5728\u7528\u6236\u7aef\u8acb\u6c42\u8207\u4f3a\u670d\u5668\u56de\u61c9\u7684\u5169\u8005\u9593<\/p>\n\n\n\n<p>\u76ee\u524dhttp_inspect\u7248\u672c\u53ea\u80fd\u8655\u7406stateless processing(\u7121\u72c0\u614b\u884c\u7a0b)<br>\u610f\u601d\u5c31\u662fhttp_inspect\u4f7f\u7528\u5c01\u5305by\u5c01\u5305\u70ba\u57fa\u790e\u7684\u65b9\u6cd5\u5c0b\u627ehttp\u6b04\u4f4d,\u4f46\u662f\u82e5\u5c01\u5305\u6c92\u88ab\u91cd\u7d44\u5c31\u6703\u88ab\u6b3a\u9a19<br>\u7576\u6709\u4e00\u500b\u6a21\u7d44\u5728\u8ca0\u8cac\u91cd\u7d44\u6642\u9019\u904b\u4f5c\u7684\u5f88\u597d,\u4f46\u5354\u5b9a\u5206\u6790\u4e0a\u662f\u6709\u6975\u9650\u7684<br>\u5728\u672a\u4f86\u7684\u7248\u672c\u5c07\u6703\u652f\u63f4stateful processing(\u5168\u72c0\u614b\u884c\u7a0b),\u4e26\u6574\u5408\u9032\u5404\u7a2e\u6a21\u7d44<\/p>\n\n\n\n<p>http_inspect\u6709\u975e\u5e38\u8c50\u5bcc\u7684\u4f7f\u7528\u8005\u7d44\u614b<br>\u4f7f\u7528\u8005\u53ef\u900f\u904e\u591a\u6a23\u5316\u7684\u9078\u9805\u8a2d\u5b9a\u500b\u5225\u7684server,\u9019\u4e9b\u9078\u9805\u53ef\u4ee5\u8b93\u4f7f\u7528\u8005\u6a21\u64ec\u5404\u7a2e\u985e\u578b\u7684server<br>\u9019\u4e9b\u9078\u9805\u4e3b\u8981\u5206\u70ba\u5169\u5927\u985e:<strong>global\u53caserver<\/strong><\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>global configuration<\/strong><\/h2>\n\n\n\n<p><br>global\u7d44\u614b\u8ca0\u8cac\u8655\u7406http_inspect\u5168\u57df\u529f\u80fd\u7684\u7d44\u614b<br>ps:You can only have a single global configuration,you&#8217;ll get an error if you try otherwise<br>\u53c3\u6578\u5982\u4e0b<br><strong>preprocessor http_inspect : global<\/strong><br>ex:<br>preprocessor http_inspect:global<br>\u3000iis_unicode_map unicode.map 1252<\/p>\n\n\n\n<p><strong>iis_unicode_map &lt; map_filename&gt; [codemap &lt; integer&gt; ]<\/strong><br>\u6307\u5b9aUnicode codepoint map\u7684\u6a94\u6848,\u8a72\u6a94\u6848\u7684\u7528\u9014\u662f\u544a\u8a34http_inspect\u7576unicode\u5b57\u5143\u88ab\u89e3\u78bc\u8981\u4f7f\u7528\u90a3\u4e00\u500bcodepage(\u5b57\u78bc\u9801).\u9810\u8a2d\u4e0a\u662f\u4f7f\u7528snort\u5b89\u88dd\u4f86\u6e90\u76ee\u9304etc\u5167\u7684\u6a94\u6848unicode.map,\u8a72\u6a94\u6848\u5c6c\u65bcMicrosoft US Unicode codepoint map.\u82e5\u60f3\u81ea\u8a02snort\u7684unicode maps\u53ef\u4f7f\u7528&#8221;ms-unicode-generator.c&#8221;<br>\u5728US server\u4e0a,codemap\u901a\u5e38\u70ba1252.<br>ps:\u6a94\u6848\u4f4d\u7f6e\u53ef\u4f7f\u7528snort.conf\u6307\u5b9a\u7684\u76f8\u5c0d\u8def\u5f91\u4e5f\u53ef\u4f7f\u7528\u7d55\u5c0d\u8def<br>ps:\u8a72\u9078\u9805\u662f\u7528\u5728global IIS Unicode map,\u500b\u5225server\u53ef\u6307\u5b9a\u4ed6\u5011\u81ea\u5df1\u7684iis unicode map<br><strong>[detect_anomalous_servers]<\/strong><br>\u555f\u7528\u8a72\u9078\u9805\u53ef\u4f7f\u7528\u901a\u7528http\u4f3a\u670d\u5668\u6d41\u91cf\u6aa2\u67e5\u975ehttp\u7684port,\u4e26\u5728\u767c\u73fe\u6d41\u91cf\u6642\u8b66\u5831<br>\u82e5\u6c92\u5728server configuration\u4e2d\u6307\u5b9a\u4f7f\u7528\u8005\u53ef\u5b58\u53d6\u7684\u6240\u6709http server\u7684port,\u8acb\u4e0d\u8981\u555f\u7528\u8a72\u9078\u9805<br>\u672a\u4f86\u8a72\u9078\u9805\u53ef\u914d\u5408\u6307\u5b9a\u7684\u7db2\u8def\u6703\u66f4\u52a0\u6709\u7528,\u4f46\u73fe\u5728\u4ed6\u6703\u6aa2\u67e5\u6240\u6709\u7684\u7db2\u8def\u6d41\u91cf<br><strong>[proxy_alert]<\/strong><br>\u555f\u7528\u8a72\u529f\u80fd\u5f8c,\u5075\u6e2c\u5230\u4f7f\u7528proxy\u6642\u6703\u8b66\u5831<br>\u900f\u904e\u8a2d\u5b9ahttp_inspect:server\u4e26\u555f\u52d5allow_proxy_use,\u53ef\u91dd\u5c0d\u672a\u77e5proxy server\u8207rouge proxy\u7684\u4f7f\u7528\u505a\u8b66\u5831<br>\u8981\u6ce8\u610f\u7684\u4e00\u9ede\u662f,\u82e5\u4f7f\u7528\u8005\u6c92\u88ab\u8981\u6c42\u8a2d\u5b9aweb proxy\u5247\u6703\u5f97\u5230\u5f88\u591aproxy\u8b66\u5831<br>\u6240\u4ee5\u53ea\u80fd\u5728\u50b3\u7d71\u7684proxy\u74b0\u5883\u4e2d\u4f7f\u7528\u9019\u529f\u80fd<br>ps:Blind firewall proxies don&#8217;t count<br><strong>[max_gzip_mem &lt; num&gt;]<\/strong><br>\u6307\u5b9a\u4f7f\u7528\u591a\u5c11\u8a18\u61b6\u9ad4\u53ef\u7528\u4f86\u89e3\u58d3\u7e2e,\u55ae\u4f4d\u70babytes,\u53ef\u8a2d\u7bc4\u570d\u70ba3276byte~100mb<br>\u9019\u9078\u9805\u6703\u96a8\u8457compress_depth\u548cdecompress_depth\u5f71\u97ffgzip session\u7684\u89e3\u58d3\u7e2e,\u5728\u4efb\u4f55\u6307\u5b9a\u6642\u523b<br>\u9810\u8a2d\u503c\u662f838860<br><strong>[compress_depth &lt; num&gt;]<\/strong><br>\u6307\u5b9a\u5c01\u5305payload\u89e3\u58d3\u7e2e\u7684\u6700\u5927\u6578\u91cf,\u53ef\u8a2d\u7bc4\u570d\u70ba1~20480,\u9810\u8a2d\u503c\u662f1460<br><strong>[decompress_depth &lt; num&gt;]<\/strong><br>\u6307\u5b9a\u5f9e\u58d3\u7e2e\u5c01\u5305payload\u53d6\u5f97\u7684\u89e3\u58d3\u7e2e\u8cc7\u6599\u6700\u5927\u6578\u91cf,\u53ef\u8a2d\u7bc4\u570d\u70ba1~20480,\u9810\u8a2d\u503c\u662f2920<br>ps:<br>gzip session\u7684\u8a2d\u5b9a\u5efa\u8b70<br>max gzip session=max gzip mem\/(decompress depth + compress depth)<br><strong>disabled<\/strong><br>\u95dc\u9589http_inspect\u524d\u7f6e\u8655\u7406\u5668<br>\u4f46\u662f\u7576\u90193\u500b\u53c3\u6578&#8221;max gzip mem&#8221;,&#8221;compress depth&#8221;,&#8221;decompress depth&#8221;\u88ab\u8a2d\u5b9a\u6642\u9084\u662f\u6703\u6709\u5f71\u97ff,\u800c\u5176\u4ed6\u53c3\u6578\u88ab\u8a2d\u5b9a\u6642\u5247\u4e0d\u88ab\u4f7f\u7528<br><\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Server Con\ufb01guration<\/strong><\/h2>\n\n\n\n<p>ps:\u6709yes\u6216no\u7684\u9078\u9805\u53ea\u662f\u6c7a\u5b9a\u662f\u5426\u8f38\u51fa\u8b66\u5831,\u800c\u4e0d\u662f\u8981\u6c42http_inspect\u555f\u7528\u67d0\u4e9b\u5206\u6790\u505a\u6aa2\u67e5<\/p>\n\n\n\n<p>\u53c3\u6578\u5982\u4e0b<br><strong>preprocessor http_inspect_server<\/strong><br>ex:<br>preprocessor http_inspect_server:<br>server { 10.1.1.1 10.2.2.0\/24 } profile all ports { 80 }<\/p>\n\n\n\n<p><strong>server &lt; target type&gt;<\/strong><br>\u6709\u5169\u7a2e\u985e\u578b\u8a2d\u5b9a\u65b9\u5f0f<br>\u3000default,\u5c07\u8a2d\u5b9a\u5957\u7528\u5728\u6240\u6709server<br>\u3000by ip,\u5c07\u8a2d\u5b9a\u5957\u7528\u5728\u6307\u5b9a\u7684server,\u53ef\u4ee5\u6307\u5b9a1\u500b\u6216\u591a\u500b<br>\u3000\u3000\u6307\u5b9a\u4e00\u500bip\u683c\u5f0f:server &lt; ip&gt;<br>\u3000\u3000\u6307\u5b9a\u591a\u500bip\u683c\u5f0f,\u4ee5\u7a7a\u767d\u5206\u9694:server { network1\/cidr ipaddr1 }<\/p>\n\n\n\n<p><strong>profile &lt; all|apache|iis|iis5_0|iis4_0&gt;<\/strong><br>\u4f7f\u7528\u8005\u53ef\u4ee5\u7528\u4e4b\u524d\u914d\u7f6e\u597d\u7684profile\u8a2d\u5b9ahttp_inspect,\u96d6\u7136\u9019\u53ef\u4ee5\u5f88\u65b9\u4fbf\u7684\u6839\u64da\u4e0d\u540c\u985e\u578b\u7684server\u505a\u8a2d\u5b9a,\u4f46\u9019\u4e9b\u8a2d\u5b9a\u4e26\u4e0d\u898b\u5f97\u90fd\u662f\u6700\u597d\u7684<br>\u67095\u7a2e\u5148\u524d\u914d\u7f6e\u597d\u7684profile\u53ef\u7528,\u5206\u5225\u70baall,apache,iis,iis5_0,iis4_0<br>\u3000<strong>all<\/strong><br>\u3000\u4f7f\u7528\u5e38\u898b\u7684\u6280\u5de7normalize(\u6b63\u898f\u5316)URI<br>\u3000\u5c0d\u56b4\u91cd\u7684\u9003\u907f\u578b\u5f0f\u66f4\u6703\u767c\u51fa\u8b66\u5831<br>\u3000\u5c0d\u65bc\u5075\u6e2c\u6240\u6709\u985e\u578b\u7684\u653b\u64ca\u800c\u9019\u662f\u4e00\u500b\u5f88\u597d\u7684profile,\u4e0d\u8ad6\u662f\u90a3\u7a2ehttp server<br>\u3000<strong>apache<\/strong><br>\u3000\u7528\u65bcapache server<br>\u3000\u8207iis\u4e0d\u540c\u7684\u5730\u65b9\u5728\u65bc\u53ea\u5141\u8a31UTF-8\u6a19\u6e96Unicode\u7de8\u78bc\u548c\u4e0d\u540c\u610fbackslashes(\u5012\u659c\u7dda)\u7576\u505a\u5408\u6cd5\u7684\u659c\u7dda<br>\u3000\u548ciis\u4e00\u6a23\u7684\u5730\u65b9\u662f\u90fd\u5141\u8a31tab\u7576\u505a\u7a7a\u767d<br><strong>\u3000iis<\/strong><br>\u3000\u53ef\u6a21\u64eciis server,\u6240\u4ee5\u6211\u5011\u53ef\u4ee5\u7528iis unicode codemap\u5728\u6bcf\u500bserver\u4e0a,\u50cf\u662f%u encoding,bare-byte encoding,double decoding,backslashes,&#8230;\u7b49<br><strong>\u3000iis4_0,iis5_0<\/strong><br>\u3000\u5728iis4\u548ciis5\u6709double decoding\u5f31\u9ede,\u9019\u5169\u500bprofile\u548ciis\u662f\u76f8\u540c\u7684,\u4e0d\u540c\u5728\u65bc,\u82e5\u8a72url\u5b58\u5728double decoding\u5247\u9810\u8a2d\u6703\u8b66\u5831<br>\u3000Double decode\u5728iis5.1\u4e4b\u5f8c\u7684\u7248\u672c\u90fd\u4e0d\u5728\u652f\u63f4,\u6240\u4ee5\u5728\u9810\u8a2d\u662f\u95dc\u9589<br><strong>\u3000default<\/strong><br>\u3000\u82e5profile\u672a\u6307\u5b9a\u5247\u4f7f\u7528default<br>ps:<br><strong>\u6ce8\u610f\u4e8b\u9805<\/strong><br>profile\u5fc5\u9808\u8a2d\u5b9a\u5728http_inspect : server\u4e4b\u5f8c\u9078\u9805\u7684\u7b2c\u4e00\u500b,\u800c\u4e14\u4e0d\u53ef\u4ee5\u548c\u5176\u4ed6\u9078\u9805\u4e00\u8d77\u4f7f\u7528<br>\u4f46\u4ee5\u4e0boption\u53ef\u548cprofile\u7d44\u5408\u4f7f\u7528<br>ports<br>iis unicode map<br>allow proxy use<br>server flow depth<br>client flow depth<br>post depth<br>no alerts<br>inspect uri only<br>oversize dir length<br>normalize headers<br>normalize cookies<br>max header length<br>max headers<br>extended response inspection<br>enable cookie<br>inspect gzip<br>ex:option port\u53ef\u4ee5\u8207profile\u7d44\u5408\u4f7f\u7528<br>preprocessor http_inspect_server:<br>server 1.1.1.1 profile all<br>ports { 80 3128 }<\/p>\n\n\n\n<p>ps:<br><strong>\u5404profile\u9810\u8a2doption<\/strong><br>port =80[default]<br>server_\ufb02ow_depth =300 [all,apache,iis,default]<br>client_\ufb02ow_depth =300 [all,apache,iis,default]<br>post_depth =0 [all,apache,iis,default]<br>chunk encoding =alert on chunks larger than 500000bytes [all,apache,iis,default]<br>iis_unicode_map =codepoint map in the global con\ufb01guration [all,iis]<br>ascii decoding =on,alert off [all,apache,iis,default]<br>multiple slash =on,alert off [all,apache,iis,default]<br>directory normalization =on,alert off [all,apache,iis,default]<br>apache whitespace =on,alert off [all,default] =on,alert on [apache,iis]<br>double decoding =on,alert on [all,iis]<br>%u decoding =on,alert on [all,iis]<br>bare byte decoding =on,alert on [all,iis]<br>iis unicode codepoints =on,alert on [all,iis]<br>iis backslash =on,alert off [all,iis,default]<br>iis delimiter =on,alert off [all,default] =on,alert on[iis]<br>webroot =on,alert on [all,apache,iis,default]<br>utf_8 encoding =on,alert off [apache,default]<br>non_strict URL parsing =on [all,apache,iis,default]<br>tab_uri_delimiter =is set [all,apache]<br>max_header_length =0,header length not checked [all,apache,iis,default]<br>max_headers =0,number of headers not checked [all,apache,iis,default]<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>\u5176\u4ed6\u53c3\u6578<\/strong><br><strong>ports {&lt; port&gt; [&lt; port&gt; &lt; &#8230;&gt;]}<\/strong><br>\u8a2d\u5b9a\u7528\u90a3\u4e00\u500bport\u5075\u6e2chttp server,\u4e0d\u904ehttps\u6d41\u91cf\u88ab\u52a0\u5bc6\u800c\u4e14\u6240\u4ee5\u7121\u6cd5\u88abhttp_inspect\u89e3\u78bc,\u82e5\u8981\u5ffd\u7565https\u6d41\u91cf\u5247\u9700\u4f7f\u7528ssl preprocessor<br><strong>iis_unicode_map &lt; map filename&gt; codemap &lt; integer&gt;<\/strong><br>iis_unicode_map\u662f\u900f\u904ems_unicode_generator.c\u7a0b\u5f0f\u7522\u751f\u7684,\u8a72\u7a0b\u5f0f\u88ab\u653e\u5728http:\/\/www.snort.org\/dl\/contrib\/<br>\u57f7\u884c\u9019\u652f\u7a0b\u5f0f\u53ef\u70ba\u4f60\u6b63\u5728\u904b\u4f5c\u7684\u7cfb\u7d71\u7522\u751f\u4e00\u4efdunicode map<br>\u6240\u4ee5,\u82e5\u8981\u5f9eiis server\u5f97\u5230\u6307\u5b9a\u7684unicode map,\u5fc5\u9808\u5728\u8a72server\u4e0a\u57f7\u884c\u9019\u652f\u7a0b\u5f0f,\u4e26\u5728\u7d44\u614b\u6a94\u4e2d\u4f7f\u7528\u8a72unicode map<br>\u7576\u4f7f\u7528\u9019\u9078\u9805\u6642,\u9700\u8981\u6307\u5b9a\u5305\u542bunicode map\u7684\u6a94\u6848,\u800c\u4e14\u4e5f\u8981\u6307\u5b9a\u4f7f\u7528\u8a72unicode map<br>\u5728us server,codemap\u901a\u5e38\u662f1252,\u4f46\u662fms_unicode_generator\u7a0b\u5f0f\u6703\u6307\u51fa\u90a3\u4e00\u500bcodemap\u662fserver\u8981\u7528\u7684,\u8a72\u7a0b\u5f0f\u4f7f\u7528ANSI code page<br>\u53ef\u4ee5\u5f9ems_unicode_generator\u7a0b\u5f0f\u8f38\u51fa\u53ef\u7528\u7684code page\u4e2d\u9078\u64c7\u4e00\u500b\u6b63\u78ba\u7684<br><strong>extended_response_inspection<\/strong><br>\u64f4\u5927http\u56de\u61c9\u6aa2\u67e5,http_inspect\u9810\u8a2d\u662f\u4e0d\u6aa2\u67e5http\u56de\u61c9\u7684\u5404\u7a2e\u6b04\u4f4d,\u555f\u7528\u8a72\u9078\u9805\u5f8c\u5c07\u6703\u5fb9\u5e95\u6aa2\u67e5<br>\u9810\u8a2d\u7684http\u6b04\u4f4d,\u50cf\u662fstatus code,status message,headers,cookie(\u7576enable_cookie\u88ab\u8a2d\u5b9a\u6642),body,\u90fd\u6703\u88ab\u89e3\u958b\u4e26\u653e\u5165\u7de9\u885d\u5340<br>\u4e0d\u540c\u7684\u898f\u5247\u9078\u9805\u53ef\u7528\u4f86\u6aa2\u67e5\u90a3\u4e9b\u7de9\u885d\u5340<br><strong>enable_cookie<\/strong><br>\u5f9ehttp\u7684\u8981\u6c42\u548c\u56de\u61c9\u4e2d\u89e3\u6790cookie,\u9810\u8a2d\u662f\u95dc\u9589\u89e3\u6790\u548c\u6aa2\u67e5<br><strong>inspect_gzip<\/strong><br>\u8981\u6c42http_inspect\u5f9ehttp\u56de\u61c9\u4e2d\u89e3\u58d3\u7e2ecompressed data(gzip\/de\ufb02ate),\u5728\u555f\u7528\u8a72\u9078\u9805\u524d\u61c9\u8a72\u8981\u5148\u555f\u7528\u9078\u9805extended_response_inspection<br>\u5f9e\u5c01\u5305\u4e2d\u9032\u884c\u89e3\u58d3\u7e2e\u6642,\u6574\u500b\u904e\u7a0b\u6703\u4f9d\u9078\u9805compress_depth\u548cdecompress_depth\u6307\u5b9a\u7684\u503c\u5df1\u9054\u5230\u800c\u7d50\u675f,\u800c\u8cc7\u6599\u89e3\u58d3\u7e2e\u5b8c\u4e5f\u6703\u7d50\u675f<br>\u7576\u58d3\u7e2e\u7684\u8cc7\u6599\u662f\u5728\u591a\u500b\u5c01\u5305\u4e2d\u6642,\u6700\u5f8c\u4e00\u500b\u5c01\u5305\u89e3\u958b\u7684\u72c0\u614b\u662f\u7528\u4f86\u89e3\u958b\u4e0b\u4e00\u500b\u5c01\u5305\u7684\u8cc7\u6599<br>\u4f46\u9019\u89e3\u958b\u7684\u8cc7\u6599\u5206\u5225\u88ab\u6aa2\u67e5(\u4f8b\u5982\u5f9e\u4e0d\u540c\u5c01\u5305\u4e2d\u89e3\u958b\u7684\u8cc7\u6599\u5728\u6aa2\u67e5\u4e2d\u662f\u4e0d\u6703\u88ab\u7d50\u5408\u7684)<br>\u4e5f\u5c31\u662f\u6aa2\u67e5\u89e3\u958b\u8cc7\u6599\u7684\u6578\u91cf\u5c07\u53d6\u6c7a\u65bcserver_flow_depth\u7d44\u614b<br>ps:\u82e5\u8981\u58d3\u7e2ehttp server\u56de\u61c9,snort\u5728configure\u6642\u8981\u5728\u52a0 -enable-zlib<br><strong>server_flow_depth &lt; integer&gt;<\/strong><br>\u6307\u5b9a\u6aa2\u67e5server\u56de\u61c9payload\u7684\u6578\u91cf,\u8a72\u9078\u9805\u986f\u7136\u6703\u589e\u52a0IDS\u6548\u80fd,\u56e0\u70ba\u5ffd\u7565\u4e86\u7db2\u8def\u6d41\u91cf\u7684\u4e00\u5927\u90e8\u4efd(http server response payloads)<br>snort\u898f\u5247\u6709\u4e00\u5c0f\u90e8\u4efd\u91dd\u5c0d\u9019\u4e9b\u6d41\u91cf,\u800c\u90a3\u4e9bsnort\u898f\u5247\u6703\u56e0\u5c0f\u7684flow_depth\u503c\u800c\u53ef\u80fd\u5c0e\u81f4false negatives<br>\u5927\u90e8\u4efd\u898f\u5247\u7684\u76ee\u6a19\u82e5\u4e0d\u662fhttp header,\u90a3\u5c31\u50cf\u662f\u524d100\u500b\u7684\u5167\u5bb9,\u6216\u975eheader\u7684bytes<br>header\u901a\u5e38\u662f\u5c0f\u65bc300bytes,\u4f46mileage(\u91cc\u7a0b)\u53ef\u80fd\u591a\u6a23\u5316<br>integer\u53ef\u8a2d\u5b9a-1\u52302920\u4e4b\u9593<br>-1\u8868\u793a\u5ffd\u7565\u6240\u6709\u5b9a\u7fa9\u5728\u9078\u9805port\u4e2d\u7684server\u6d41\u91cf<br>\u76f8\u53cd\u76840\u8868\u793a\u6aa2\u67e5\u6240\u6709\u5b9a\u7fa9\u5728\u9078\u9805port\u4e2dhttp server payload(\u9019\u5c07\u964d\u4f4eIDS\u6548\u80fd)<br>1\u4ee5\u4e0a\u7684\u503c\u5247\u8981\u6c42\u5728server\u56de\u61c9\u4e2d\u6aa2\u67e5\u7b2c\u4e00\u500b\u5c01\u5305bytes\u7684\u91cf<br>\u7576inspect_gzip\u555f\u7528\u6642,\u5efa\u8b70\u8a2d\u5b9a\u6210\u6700\u5927\u503c\u6216\u662f\u548cdecompress_depth\u4e00\u6a23<br>ps:server_flow_depth\u548c\u672a\u4f86\u4e0d\u4f7f\u7528\u7684flow_depth\u662f\u529f\u80fd\u76f8\u540c\u7684<br><strong>client_flow_depth &lt; integer&gt;<\/strong><br>\u6307\u5b9a\u6aa2\u67e5raw client request payload\u7684\u6578\u91cf,\u8a72\u9078\u9805\u985e\u4f3cserver_flow_depth,\u9810\u8a2d\u503c\u70ba300<br>\u5b83\u4e3b\u8981\u6d88\u9664snort\u6aa2\u67e5\u8f03\u5927\u7684http cookie,\u9019\u4e9bcookie\u51fa\u73fe\u5728\u591a\u500bclient\u8981\u6c42header\u7684\u7d50\u675f\u5f8c<br><strong>post_depth &lt; integer&gt;<\/strong><br>\u6307\u5b9a\u6aa2\u67e5client post message\u7684\u6578\u91cf,integer\u53ef\u8a2d\u5b9a0\u523065495\u4e4b\u9593,\u9810\u8a2d\u503c\u662f0<br>\u82e5\u53ea\u6aa2\u67e5post message\u4e2d\u6307\u5b9a\u7684bytes\u53ef\u589e\u52a0\u6548\u80fd<br><strong>ascii &lt; yes|no&gt;<\/strong><br>\u662f\u5426\u89e3\u78bc\u6216\u7de8\u78bcascii\u5b57\u5143,\u4f8b\u5982%2f=\u659c\u7dda,%2e=\u9ede<br>\u5728url\u4e2d\u4f7f\u7528ascii\u7de8\u78bc\u5f88\u6b63\u5e38,\u5efa\u8b70\u95dc\u9589\u8a72\u9078\u9805\u4ee5\u9632http_inspect\u8b66\u5831<br><strong>extended_ascii_uri<\/strong><br>\u5728HTTP request URI\u4e2d\u652f\u63f4extended ascii codes,\u9810\u8a2d\u662f\u95dc\u9589,\u4e14\u6c92\u5728\u4efb\u4f55profile\u4e2d<br><strong>utf_8 &lt; yes|no&gt;<\/strong><br>\u662f\u5426\u89e3\u78bc\u5728uri\u4e2d\u7684standard UTF-8 Unicode,\u9019\u5c0a\u5faaunicode\u6a19\u6e96\u4e26\u53ea\u7528%\u7de8\u78bc,<br>apache\u4f7f\u7528\u9019\u6a23\u7684\u6a19\u6e96,\u56e0\u6b64\u5728\u4efb\u4f55apache server\u90fd\u61c9\u8a72\u8981\u78ba\u4fdd\u8a72\u9078\u9805\u662f\u958b\u555f\u7684<br>\u81f3\u65bc\u8b66\u5831,\u4f60\u53ef\u80fd\u6709\u8208\u8da3\u77e5\u9053\u4f55\u6642\u6703\u6709UTF8\u7de8\u78bc\u7684URI<br>\u4f46\u662f\u7576\u5408\u6cd5\u7684web client\u4f7f\u7528\u9019\u985e\u578b\u7684\u7de8\u78bc\u662f\u5f88\u5bb9\u6613\u767c\u751f\u8aa4\u5831\u7684<br>\u7576utf_8\u555f\u7528\u6642,\u4e5f\u6703\u555f\u7528ascii\u89e3\u78bc\u4ee5\u52a0\u5f37\u6b63\u78ba\u6027<br><strong>u_encode &lt; yes|no&gt;<\/strong><br>\u8a72\u9078\u9805\u6a21\u64ecIIS %u encoding scheme(\u7de8\u78bc\u9ad4\u7cfb)<br>\u8a72\u7de8\u78bc\u9ad4\u7cfb\u7d50\u69cb\u70ba%u&lt; 4char&gt;,\u90194char\u662f\u8207iis unicode codepoint\u6709\u95dc\u7684hex-encoded(16\u9032\u5236\u7de8\u78bc)\u503c,\u9019\u4e9b\u53ef\u4ee5\u662fascii,\u50cf\u662f,%u002f=\u659c\u7dda,%u0041=\u2018A&#8217;<br>\u82e5\u6c92\u6709iis_unicode_map\u88ab\u6307\u5b9a,\u5247\u4f7f\u7528\u9810\u8a2d\u7684codemap<br>\u5efa\u8b70\u8b66\u5831%u\u7de8\u78bc,\u56e0\u70ba\u4efb\u4f55\u4f7f\u7528\u9019\u4e9b\u7de8\u78bc\u7684\u5408\u6cd5\u5ba2\u6236\u7aef\u7121\u6cd5\u5bdf\u89ba\u5230,\u6240\u4ee5\u4e00\u4e9b\u5617\u8a66\u96b1\u853d\u7684\u4eba\u662f\u6700\u6709\u53ef\u80fd\u7684<br>ps:\u56e0\u70ba%u\u7de8\u78bc\u4e0d\u662f\u6a19\u6e96\u7de8\u78bc\uff0c\u6240\u4ee5\u4e00\u822c\u7684IDS\u7121\u6cd5\u89e3\u78bc%u\uff0c\u6240\u4ee5\u80fd\u7e5e\u904eIDS\u7684\u6aa2\u6e2c<br><strong>bare_byte &lt; yes|no&gt;<\/strong><br>bare byte\u7de8\u78bc\u662f\u7528\u5728iis\u7684\u8dea\u8a08,\u7576\u5728\u89e3\u78bcutf8\u6642,\u5b83\u6703\u4f7f\u7528\u975eascii\u5b57\u5143\u5145\u7576\u5408\u6cd5\u503c<br>\u9019\u4e0d\u662fhttp\u6a19\u6e96,\u56e0\u70ba\u6240\u6709\u975eascii\u7de8\u78bc\u5fc5\u9808\u7528%<br>bare byte\u7de8\u78bc\u8b93\u4f7f\u7528\u8005\u6a21\u64ec\u4e00\u500biis\u4f3a\u670d\u5668\u4e26\u6b63\u78ba\u5730\u89e3\u91cb\u975e\u6a19\u6e96\u7de8\u78bc<br>\u5efa\u8b70\u958b\u555f\u8a72\u8b66\u5831,\u56e0\u70ba\u6c92\u6709\u5408\u6cd5\u5ba2\u6236\u7aef\u7528utf8\u65b9\u6cd5\u7de8\u78bc,\u56e0\u70ba\u4ed6\u662f\u975e\u6a19\u6e96\u7684<br><strong>base36 &lt; yes|no&gt;<\/strong><br>\u89e3\u78bcbase36\u7de8\u78bc\u5b57\u5143,\u82e5u_encoding\u88ab\u555f\u7528,\u8a72\u9078\u9805\u4e0d\u6703\u904b\u4f5c,<br>\u555f\u7528\u8a72\u9805\u5fc5\u9808\u642d\u914d\u555f\u7528utf_8<br>\u7576base36\u555f\u7528\u5f8c,ascii\u4e5f\u6703\u88ab\u555f\u7528\u4ee5\u52a0\u5f37\u6b63\u78ba\u6027<br><strong>iis_unicode &lt; yes|no&gt;<\/strong><br>\u555f\u7528unicode codepoint\u5c0d\u6620,\u82e5\u5728server config\u4e2d\u6c92\u6709\u6307\u5b9aiis_unicode_map,\u5247\u6703\u4f7f\u7528\u9810\u8a2d\u7684codemap<br>\u8a72\u9078\u9805\u8655\u7406iis\u53ef\u63a5\u53d7\u7684\u975eascii codepoints\u5c0d\u6620,\u4e26\u89e3\u78bc\u6b63\u5e38utf8\u8981\u6c42<br>\u8a72\u9078\u9805\u61c9\u8a72\u8981\u555f\u7528,\u56e0\u70ba\u4e3b\u8981\u53ef\u767c\u73fe\u653b\u64ca\u548c\u9003\u907f\u7684\u610f\u5716<br>\u8a72\u9078\u9805\u555f\u7528\u5f8c,ascii\u548cutf8\u7de8\u78bc\u4e5f\u6703\u88ab\u555f\u7528\u4ee5\u57f7\u884c\u6b63\u78ba\u5730\u89e3\u78bc,<br>\u82e5utf_8\u89e3\u78bc\u8981\u8b66\u5831,\u5fc5\u9808\u5c07utf_8\u8a2d\u70bayes<br><strong>double_decode &lt; yes|no&gt;<\/strong><br>\u8a72\u9078\u9805\u4e00\u6a23\u662f\u7528\u5728iis\u4e0a,\u4e26\u6a21\u64eciis\u529f\u80fd,iis\u5728uri\u8acb\u6c42\u6703\u505a2\u6b21,\u6bcf\u6b21\u90fd\u6703\u505a\u4e00\u6b21\u89e3\u78bc<br>\u7b2c\u4e00\u6b21,\u4f3c\u4e4e\u6240\u6709\u985e\u578b\u7684iis\u7de8\u78bc\u5df1\u5b8c\u6210:utf-8 unicode,ascii,bare byte,%u<br>\u7b2c\u4e8c\u6b21,\u9019\u4e9b\u7de8\u78bc\u88ab\u5b8c\u6210:ascii,bare byte,%u ,<br>\u4e4b\u6240\u4ee5\u7701\u7565utf8\u7684\u539f\u56e0\u662f,%u encoded utf-8\u5728\u7b2c\u4e00\u6b21\u88ab\u89e3\u78bc\u6210\u70baunicode byte,\u7136\u5f8cutf8\u5728\u7b2c\u4e8c\u6b21\u88ab\u89e3\u78bc<br>\u7121\u8ad6\u5982\u4f55,\u9019\u5341\u5206\u8907\u96dc\u800c\u4e14\u589e\u52a0\u5b57\u5143\u5728\u4e0d\u540c\u7de8\u78bc\u7684\u8ca0\u64d4<br>\u7576double_decode\u88ab\u555f\u7528,\u90a3ascii\u4e5f\u6703\u88ab\u555f\u7528\u4ee5\u589e\u52a0\u89e3\u78bc\u6b63\u78ba\u6027<br><strong>non_rfc_char {&lt; byte&gt; [&lt; byte&#8230;&gt;]}<\/strong><br>\u82e5\u67d0\u500b\u975erfc\u5b57\u5143\u88ab\u7528\u5728uri\u8acb\u6c42\u5247\u767c\u51fa\u8b66\u5831,<br>\u4f8b\u5982,\u53ef\u8a2d\u5b9a\u82e5\u51fa\u73fenull byte\u5728uri\u8acb\u6c42\u4e2d\u5247\u8b66\u5831<br>\u4f7f\u7528\u6b64\u9078\u9805\u8981\u5c0f\u5fc3,\u56e0\u70ba\u53ef\u4ee5\u8a2d\u5b9a\u8b66\u5831\u6bcf\u500b\u659c\u7dda\u6216\u985e\u4f3c\u50cf\u90a3\u4e9b\u7684,\u5b83\u975e\u5e38\u5f48\u6027\u6240\u4ee5\u8981\u6ce8\u610f<br><strong>multi_slash &lt; yes|no&gt;<\/strong><br>\u5c07\u4e00\u884c\u4e2d\u7684\u591a\u500b\u659c\u7dda\u6062\u5fa9\u6b63\u5e38,\u50cffoo\/\/\/\/\/bar\u6062\u5fa9\u6b63\u5e38\u5f8c\u8b8a\u6210foo\/far<br>\u7576\u767c\u73fe\u591a\u500b\u659c\u7dda\u6642\u8981\u767c\u51fa\u8b66\u5831\u5c31\u8a2dyes<br><strong>iis_backslash &lt; yes|no&gt;<\/strong><br>\u5c07\u53cd\u659c\u7dda\u6062\u5fa9\u6210\u6b63\u5e38\u7684\u659c\u7dda,\u9019\u5728\u4e00\u6b21\u6a21\u64eciis<br>\u50cf\/foobar\u6062\u5fa9\u6b63\u5e38\u5f8c\u8b8a\u6210\/foo\/bar<br><strong>directory &lt; yes|no&gt;<\/strong><br>\u8a72\u9078\u9805\u5c07directory traversals\u548cself-referential directories(\u81ea\u6211\u53c3\u7167\u76ee\u9304)\u6062\u5fa9\u6b63\u5e38<br>\u50cf\/foo\/fake_dir\/..\/bar\u6062\u5fa9\u6b63\u5e38\u5f8c\u8b8a\u6210\/foo\/bar<br>\u50cf\/foo\/.\/bar\u6062\u5fa9\u6b63\u5e38\u5f8c\u8b8a\u6210\/foo\/bar<br>\u82e5\u767c\u73fe\u6642\u8b66\u5831\u5247\u8a2d\u5b9a\u6210yes,\u8b66\u5831\u53ef\u80fd\u8aa4\u5224,\u56e0\u70ba\u4e00\u4e9b\u7db2\u7ad9\u6703\u4f7f\u7528directory traversals\u5f15\u7528\u6a94\u6848<br><strong>apache_whitespace &lt; yes|no&gt;<\/strong><br>\u8a72\u9078\u9805\u8655\u7406\u4f7f\u7528tab\u7576\u7a7a\u767d\u5206\u9694\u7684\u975erfc\u6a19\u6e96,apache\u4f7f\u7528\u9019\u500b,\u6240\u4ee5\u82e5\u7db2\u7ad9\u662fapache\u5c31\u555f\u7528<br>\u8a72\u9078\u9805\u7684\u8b66\u5831\u53ef\u80fd\u5f88\u6709\u8da3,\u4f46\u4e5f\u53ef\u80fd\u90fd\u662f\u8aa4\u5224<br><strong>iis_delimiter &lt; yes|no&gt;<\/strong><br>\u9019\u662fiis\u5c08\u5c6c\u7684,\u4f46apache\u8a8d\u70ba\u6b64\u975e\u6a19\u6e96\u7684\u5206\u9694\u7b26\u865f\u5f88\u597d,\u56e0\u70ba\u9019\u5f88\u666e\u53ca\u4e14\u5e38\u88ab\u7576\u505a\u6a19\u6e96,\u4e14\u5927\u90e8\u4efd\u7684\u7db2\u9801\u4f3a\u670d\u5668\u4e5f\u63a5\u53d7<br>\u82e5\u767c\u73fe\u5f8c\u4ecd\u7136\u8981\u8b66\u5831\u5247\u8a2d\u6210yes<br><strong>chunk_length &lt; non-zero positive integer&gt;<\/strong><br>\u8a72\u9078\u9805\u5c08\u9580\u5075\u6e2c\u7570\u5e38\u5927\u7684chunk,\u9019\u662fapache chunk\u7de8\u78bc\u5f31\u9ede,\u5728\u4f7f\u7528chunk\u7de8\u78bc\u7684http\u901a\u9053\u53ef\u80fd\u6703\u8b66\u5831<br>ps:client\u53ef\u5229\u7528chunk\u7684\u5f31\u9ede\u5c0d\u820a\u7248\u7684apache server\u505a\u7de9\u6c96\u5340\u6ea2\u4f4d\u653b\u64ca<br><strong>no_pipeline_req<\/strong><br>\u8a72\u9078\u9805\u505c\u7528http\u7ba1\u7dda\u89e3\u78bc,\u4e26\u5728\u9700\u8981\u6642\u589e\u5f37\u6548\u80fd,\u9810\u8a2d\u4e0a,\u7ba1\u7dda\u8981\u6c42\u88ab\u7528\u4f86\u6aa2\u67e5\u653b\u64ca<br>\u7576\u8a72\u9078\u9805\u4f7f\u7528\u5f8c,\u7ba1\u7dda\u8981\u6c42\u4e0d\u88ab\u89e3\u78bc\u4e5f\u4e0d\u5206\u6790\u6bcf\u500bhttp\u5354\u5b9a\u6b04\u4f4d,\u800c\u53ea\u662f\u4e00\u822c\u7279\u5fb5\u6bd4\u5c0d\u7684\u6aa2\u67e5<br><strong>non_strict<\/strong><br>\u8a72\u9078\u9805\u555f\u7528\u4e0d\u56b4\u683c\u7684URI\u89e3\u6790, \u8b93apache\u4f3a\u670d\u5668\u7528\u7834\u58de\u7684\u65b9\u6cd5\u89e3\u78bc<br>\u82e5server\u5141\u8a31\u9019\u6a23uri,\u50cf\u662f&#8221;get \/index.html alsjdfk alsj lj aj la jsj sn&#8221;,\u4e00\u5b9a\u8981\u4f7f\u7528\u8a72\u9078\u9805,\u5b83\u6703\u5c07URI\u5b9a\u7fa9\u70ba&#8221;\/index.html&#8221;<br>\u5373\u4f7f\u6c92\u6709\u5408\u6cd5HTTP\u8b58\u5225\u7b26\u865f\u5728\u7b2c\u4e8c\u500b\u7a7a\u767d\u4e4b\u5f8c,\u5b83\u4e5f\u5047\u8a2dURI\u662f\u5728\u7b2c\u4e00\u500b\u548c\u7b2c\u4e8c\u500b\u7a7a\u767d\u4e4b\u9593<br><strong>allow_proxy_use<\/strong><br>\u6b64\u70ba\u7279\u6b8a\u529f\u80fd,\u9019\u5141\u8a31\u4f7f\u7528\u8005\u5728server\u4e0a\u4f7f\u7528proxy,<br>\u82e5global\u9078\u9805\u7684proxy_alert\u555f\u7528,\u90a3\u8a72\u9078\u9805\u5f8c\u5c07\u4e0d\u6703\u8b93\u8b66\u5831\u7522\u751f<br>\u82e5global\u9078\u9805\u7684proxy_alert\u6c92\u88ab\u555f\u7528,\u90a3\u8a72\u9078\u9805\u4e0d\u6703\u505a\u4efb\u4f55\u4e8b<br>\u8a72\u9078\u9805\u50c5\u50c5\u53ea\u662f\u7528\u65bc\u5df1\u8a8d\u8b49\u7684server\u800c\u505c\u6b62\u672a\u8a8d\u8b49\u7684proxy<br><strong>no_alerts<\/strong><br>\u95dc\u9589\u6240\u6709\u900f\u904ehttp inspect\u524d\u7f6e\u8655\u7406\u5668\u6240\u7522\u751f\u7684\u6a21\u7d44,\u9019\u4e0d\u6703\u5f71\u97ff\u5728\u898f\u5247\u96c6\u4e2d\u7684http\u898f\u5247,<br>\u6c92\u6709\u53c3\u6578\u88ab\u6307\u5b9a<br><strong>oversize_dir_length &lt; non-zero positive integer&gt;<\/strong><br>\u8a72\u9078\u9805\u4f7f\u7528\u975e\u96f6\u6b63\u6574\u6578\u7576\u53c3\u6578,\u8a72\u53c3\u6578\u6307\u5b9aurl\u76ee\u9304\u4e2d\u6700\u5927\u5b57\u5143\u76ee\u9304\u9577\u5ea6,\u82e5url\u76ee\u9304\u5927\u65bc\u9019\u53c3\u6578\u5927\u5c0f\u5247\u6703\u7522\u751f\u8b66\u5831<br>\u597d\u7684\u53c3\u6578\u503c\u662f300\u500b\u5b57\u5143,\u9019\u61c9\u8a72\u53ef\u4ee5\u9650\u5236IDS\u6b3a\u9a19\u653b\u64ca\u7684\u8b66\u5831,\u50cf\u662fwhisker -i 4<br><strong>inspect_uri_only<\/strong><br>\u9019\u662f\u6548\u80fd\u512a\u5316,\u7576\u555f\u52d5\u6642,\u53ea\u6709http\u8acb\u6c42\u7684uri\u90e8\u4efd\u8981\u6aa2\u67e5\u662f\u5426\u70ba\u653b\u64ca<br>\u56e0\u70ba\u8a72\u6b04\u4f4d\u901a\u5e38\u5305\u542b90-95%\u7684web\u653b\u64ca,\u6240\u4ee5\u53ef\u4ee5\u6355\u6349\u5230\u5927\u90e8\u4efd\u7684\u653b\u64ca<br>\u6240\u4ee5\u82e5\u9700\u8981\u984d\u5916\u7684\u6548\u80fd\u5c31\u555f\u7528\u512a\u5316,<br>\u6709\u4e00\u9ede\u5f88\u91cd\u8981,\u82e5\u8a72\u9078\u9805\u6c92\u6709\u7528\u5728\u4efb\u4f55uricontent\u898f\u5247,\u90a3\u6aa2\u67e5\u7684\u52d5\u4f5c\u5c07\u4e0d\u6703\u767c\u751f<br>\u9019\u5f88\u660e\u986f,\u56e0\u70bauri\u53ea\u5728uricontent\u898f\u5247\u624d\u88ab\u6aa2\u67e5,\u800c\u4e14\u5047\u5982\u6c92\u6709\u53ef\u4ee5\u7528\u7684\u90a3\u4ec0\u9ebc\u6aa2\u67e5\u90fd\u4e0d\u6703\u505a<br>\u4f8b\u5982\u4ee5\u4e0b\u898f\u5247<br>alert tcp any any -&gt; any 80 ( msg:&#8221;content&#8221;; content: &#8220;foo&#8221;; )<br>\u6aa2\u67e5\u4ee5\u4e0b\u7684uri<br>get \/foo.htm http\/1.0rnrn<br>\u5728inspect_uri_only\u555f\u7528\u6642\u4e0d\u6703\u6709\u4efb\u4f55\u8b66\u5831\u7522\u751f,\u8a72\u9078\u9805\u9664\u4e86uricontent\u6aa2\u67e5\u5916,\u5168\u90e8\u5f62\u5f0f\u7684\u6aa2\u67e5\u90fd\u95dc\u9589<br><strong>max_header_length &lt; positive integer up to 65535&gt;<\/strong><br>\u8a72\u9078\u9805\u4f7f\u7528\u6574\u6578\u7576\u53c3\u6578,\u8a72\u6574\u6578\u662f\u5141\u8a31http client\u8acb\u6c42header\u6b04\u4f4d\u7684\u6700\u5927\u9577\u5ea6,\u82e5\u8d85\u904e\u5247\u6703\u7522\u751flong header\u8b66\u5831<br>\u8a72\u9078\u9805\u9810\u8a2d\u88ab\u95dc\u9589,\u6307\u5b9a\u53c3\u6578\u76841-65535\u4e4b\u9593\u7684\u503c\u5373\u53ef\u555f\u52d5,\u4f46\u82e5\u6307\u5b9a0\u4e00\u6a23\u8868\u793a\u95dc\u9589\u8a72\u9078\u9805<br><strong>webroot &lt; yes|no&gt;<\/strong><br>\u7576directory traversals\u5230web\u4f3a\u670d\u5668\u7684\u6839\u76ee\u9304\u6642\u6703\u7522\u751f\u8b66\u5831<br>\u9019\u7522\u751f\u7684\u8aa4\u5224\u6bd4directory\u9078\u9805\u66f4\u5c11,\u56e0\u70ba\u5728web\u4f3a\u670d\u5668\u76ee\u9304\u7d50\u69cb\u4e2d\u9032\u884cdirectory traversals\u6642\u5b83\u4e0d\u6703\u8b66\u5831<br>\u5b83\u53ea\u8b66\u5831\u7576directory traversals\u7d93\u904eweb\u4f3a\u670d\u5668\u7684\u6839\u76ee\u9304,\u56e0\u70ba\u9019\u548c\u67d0\u4e9bweb\u653b\u64ca\u6709\u95dc<br><strong>tab_uri_delimiter<\/strong><br>\u8a72\u9078\u9805\u555f\u7528URI\u4f7f\u75280X09\u7576\u4f5ctab\u7684\u8b58\u5225\u6a19\u8a8c,apache\u540c\u610ftab\u7576\u4f5c\u4e00\u500b\u8b58\u5225\u6a19\u8a8c,\u4f46iis\u4e0d\u63a5\u53d7,IIS\u4f7f\u7528\u5176\u4ed6\u5b57\u5143\u4f86\u4ee3\u66ffURI\u7684tab<br>\u4e0d\u7ba1\u8a72\u9078\u9805\u662f\u958b\u6216\u95dc,\u82e5\u4e00\u500b\u7a7a\u767d\u5b57\u5143(0x20)\u5728\u5b83\u4e4b\u524d,\u90a3tab\u6703\u88ab\u7576\u505a\u662f\u7a7a\u767d\u7a7a\u9593<br>\u4e0d\u7528\u6307\u5b9a\u53c3\u6578<br><strong>normalize_headers<\/strong><br>\u8a72\u9078\u9805\u5c07HTTP header\u6b04\u4f4d\u6062\u5fa9\u6b63\u5e38,\u4f46\u4e0d\u5305\u62eccookis(\u4f7f\u7528\u50cfmulti-slash,directory,..\u7b49uri normalization\u76f8\u540c\u7684\u53c3\u6578)<br>\u5c0d\u65bc\u51fa\u73fe\u5728http header\u5f15\u7528\u7684URI\u6062\u5fa9\u6b63\u5e38\u5f88\u6709\u5e6b\u52a9<br><strong>normalize_cookies<\/strong><br>\u8a72\u9078\u9805\u5c07HTTP cookie\u6b04\u4f4d\u6062\u5fa9\u6b63\u5e38(\u4f7f\u7528\u50cfmulti-slash,directory,..\u7b49uri normalization\u76f8\u540c\u7684\u53c3\u6578)<br>\u5c0d\u65bc\u5c07\u5df1\u7de8\u78bc\u7684http cookies\u8cc7\u6599\u6062\u5fa9\u6b63\u5e38\u5f88\u6709\u5e6b\u52a9<br><strong>max_headers &lt; positive integer up to 1024&gt;<\/strong><br>\u8a72\u9078\u9805\u53c3\u6578\u70ba\u6574\u6578,\u8a72\u6578\u503c\u8868\u793ahttp client \u8acb\u6c42header\u6b04\u4f4d\u7684\u6700\u5927\u503c<br>\u82e5\u4e00\u500b\u8acb\u6c42\u6240\u5305\u542bheader\u6b04\u4f4d\u503c\u5927\u65bc\u53c3\u6578\u7684\u8a2d\u5b9a\u5c07\u7522\u751f\u4e00\u500bmax header\u8b66\u5831<br>\u8a72\u8b66\u5831\u9810\u8a2d\u662f\u95dc\u9589,\u53ea\u8981\u6307\u5b9a\u4e00\u500b1\u52301024\u9593\u7684\u6574\u6578\u5373\u53ef\u958b\u555f\u8b66\u5831,\u82e5\u8a2d\u70ba0\u6703\u88ab\u8996\u70ba\u95dc\u9589\u8b66\u5831<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<p><strong>\u9810\u8a2d\u7d44\u614b<\/strong><br>preprocessor http_inspect: global iis_unicode_map unicode.map 1252<br>preprocessor http_inspect_server:<br>server default<br>apache_whitespace no<br>ascii no<br>bare_byte no<br>chunk_length 500000<br>flow_depth 1460<br>directory no<br>double_decode no<br>iis_backslash no<br>iis_delimiter no<br>iis_unicode no<br>multi_slash no<br>non_strict<br>oversize_dir_length 500<br>ports { 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 }<br>u_encode yes<br>non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }<br>webroot no<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>http_inspect alert type<\/strong><\/h2>\n\n\n\n<p><strong>119-1 ASCII ENCODING<\/strong><br>Affected Systems:All web servers.<br>An attacker may try to encode an attack by using the hexadecimal representation of the ascii characters used in an attempt to evade detection by IDS.<br>False Positives:These encodings can be relatively prevalent in normal web traffic.<br><strong>119-2 DOUBLE DECODING ATTACK<\/strong><br>Affected Systems :Microsoft IIS Servers.<br>1.This is abnormal behavior and may be an indicator of a possible attack against a vulnerable system.<br>2.This may also be an attempt to evade an IDS.<br>3.this may then evade an IDS monitoring traffic and could then launch a successful attack without being detected.<br><strong>119-3 U ENCODING<\/strong><br>Affected Systems :Microsoft IIS Servers.<br>1.This may indicate an attempt to evade an IDS in an attempted attack against the server.<br>2.No known browsers use unicode encoding, it is likely that this event indicates a malicious request.<br>3.this may then evade an IDS monitoring traffic and he could then launch a successful attack without being detected.<br>ps:preprocessor http_inspect_server: u_encode yes<br><strong>119-4 BARE BYTE UNICODE ENCODING<\/strong><br>Affected Systems :Microsoft IIS Servers.<br>1.This event may indicate an attack against a web server or at the least an attempt to evade an IDS<br>2.No web clients encode UTF-8 characters in this way. This is most likely a malicious request.<br>ps:preprocessor http_inspect_server: bare byte &lt; yes|no&gt;<br><strong>119-5 BASE36 ENCODING<\/strong><br>Affected Systems :Microsoft IIS Servers(Asian)<br>This may be used in an attempt to obfuscate an attack against a webserver or to evade an IDS.<br><strong>119-6 UTF-8 ENCODING<\/strong><br>Affected Systems:All web servers.<br>This may indicate an attempt to evade an IDS by obfuscating the request using UTF-8.<br>False Positives:This may be legitimate behavior. Web clients may use this encoding.<br><strong>119-7 IIS UNICODE CODEPOINT ENCODING<\/strong><br>Affected Systems :Microsoft IIS Servers.<br>This may be an indicator of an obfuscated attack against a server as well as an attempt to evade an IDS.<br>The Unicode map for the target servers can be generated for specific servers. Refer to the documentation for http_inspect for instructions.<br><strong>119-8 MULTI_SLASH ENCODING<\/strong><br>Affected Systems:All web servers.<br>This may be an attempt to obfuscate an attack and may also indicate an attempt to evade an IDS.<br><strong>119 -9 IIS BACKSLASH EVASION<\/strong><br>Affected Systems :Microsoft IIS Servers. Microsoft ASP.NET enabled servers.<br>1.This may be an attempt to obfuscate an attack or an attempt to evade an IDS.<br>2.It may also be possible for an attacker to gain access to objects in the Application folder by supplying a direct path to the object in a URI. This would not allow for code execution but may give the attacker access to information on the application that may be used in further attacks.<br>ps:This event is enabled by using &#8216;iis_backslash yes&#8217; in the server configuration section of http_inspect.<br><strong>119-10 SELF DIRECTORY TRAVERSAL<\/strong><br>Affected Systems :Microsoft IIS Servers.<br>This may be an attempt to escape the web root directory or it may be an attempt to evade an IDS.<br>False Positives:This event may be generated if a web site uses &#8220;..\/&#8221; in links to other files on the site.<br><strong>119-11 DIRECTORY TRAVERSAL<\/strong><br>Affected Systems :Microsoft IIS Servers.<br>This may be an attempt to escape the web root directory or it may be an attempt to evade an IDS.<br>False Positives:This event may be generated if a web site uses &#8220;..\/&#8221; in links to other files on the site.<br><strong>119-12 APACHE WHITESPACE (TAB)<\/strong><br>Affected Systems:Apache web servers<br><strong>119-13 NON-RFC HTTP DELIMITER<\/strong><br>Affected Systems:All web servers.<br><strong>119-14 NON-RFC DEFINED CHAR<\/strong><br>Affected Systems:All web servers.<br>An attacker may use non-standard characters in a request in an attempt to evade an IDS in the course of an attack against a web server.<br>preprocessor http_inspect_server: non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }<br><strong>119-15 OVERSIZE REQUEST-URI DIRECTORY<\/strong><br>Affected Systems:All web servers.<br>1.allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.<br>2.An attacker may supply an over-long URI in an attempt to evade an IDS or in a possible attack against a web server.<br>preprocessor http_inspect_server: oversize_dir_length 500<br><strong>119-16 OVERSIZE CHUNK ENCODING<\/strong><br>Affected Systems:Apache web servers<br>This may be an indicator of an attack against a web server.<br>preprocessor http_inspect_server: chunk_length 500000<br><strong>119-17 UNAUTHORIZED PROXY USE DETECTED<\/strong><br>Affected Systems:All client systems.<br>An attacker may use non-standard characters in a request in an attempt to evade an IDS in the course of an attack against a web server.<br><strong>119-18 WEBROOT DIRECTORY TRAVERSAL<\/strong><br>Affected Systems:All web servers.<br>An attacker may employ a directory traversal technique to escape the root directory of a web server in an attempt to access protected system files.<br>ps:<br><strong>120-1 ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT<\/strong><br>the http_inspect pre-processor detects the presence of a web server running on a non-defined port.<br>Web server ports are defined in snort.conf as the variable $HTTP_PORTS and also in the section for http_inspect. When a server is accessed on a port not defined in snort.conf the presence of web traffic generates an event. This may indicate the presence of an unauthorized web server.<br>Affected Systems:All web servers.<br>A web server may be used to transfer files from inside the protected network to unauthorized recipients on the outside.<\/p>\n\n\n\n<p>\u66f4\u591a\u8cc7\u8a0a\u8acb\u53c3\u8003http:\/\/www.snort.org\/search\/sid\/119-1\u523018&nbsp;<\/p>\n\n\n\n<p>\u8cc7\u6599\u4f86\u6e90\u53c3\u8003http:\/\/www.snort.org\/docs&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>http_inspect http_inspect\u662f\u7528\u5728\u4f7f\u7528 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[370],"tags":[],"class_list":["post-374","post","type-post","status-publish","format-standard","hentry","category-blue-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=374"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/374\/revisions"}],"predecessor-version":[{"id":2421,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/374\/revisions\/2421"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}