Q: In the settings for the HTTP preprocessor, what's the difference between the "yes" and "no" radio buttons for an attack, and the checkbox?
Each of the attacks known to the HTTP Inspection preprocessor has a checkbox and two radio buttons.
The preprocessor can do two things. First, it can normalize the HTTP stream to prevent evasion of Snort rules. Second, it can alert when a suspected evasion attempt is encountered.
The radio buttons control whether an attempt will generate an alert. (There's also a global "no alerts" checkbox up above.)
The checkbox next to each attack controls whether the preprocessor looks for that attack at all. With the box unchecked, the preprocessor will not normalize the traffic when that type of attack is encountered because it won't even try to detect that kind of attack.
So, it is a good idea to leave the box checked to allow normalization of traffic even when turning the alerts off.
Normalization converts the HHTP to a common format, so that duplicate snort rules do not have to be written to detect an obfuscated attack. Only one snort rule is needed per attack.
For instance, the folloing are all equivalent to a browser when in a link, img tag, iframe, or other element which contains URLs. After normalization, they will all appear the same:
- bad stuff.gif
- bAd stuff.gif
- bad%20stuff.gif
- bad%20stuff.gif
