Snort mailing list archives
RE: Where to configure/change rules for this one?
From: Neil Dickey <neil () geol niu edu>
Date: Thu, 3 May 2001 17:05:55 -0500 (CDT)
"Ed Greshko" <Edward.M.Greshko () syntegra com> wrote:
preprocessor http_decode: 80 8080 -unicodeThanks.... I'll be having my eyes examined in the morning....
Don't feel bad. I fell into that particular hole myself! That's how I happened to learn the remedy .... ;-)
I do wonder, however, if the code could be modified to be more tolerant to avoid false positives.
That I don't know. Not all unicode packets represent attacks, obviously, but I'm not sophisticated enough in these matters ( yet! ) to know what to do about the false positives. One would doubtless have to get into the source code for the preprocessor and tweak it in order to improve things, but that may not be as straightforward as it might sound. A question for the list: Does anyone have an estimate for what percentage of installations have the unicode alert turned off? If the percentage is large, that might suggest an overhaul. Just a thought -- and not evidence of ingratitude for what really is a fine software package. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Where to configure/change rules for this one? Neil Dickey (May 03)
- RE: Where to configure/change rules for this one? Ed Greshko (May 03)
- <Possible follow-ups>
- RE: Where to configure/change rules for this one? Neil Dickey (May 03)