Snort mailing list archives

Re: http_decode alerts bypassing "pass" rules

From: Neil Dickey <neil () geol niu edu>
Date: Wed, 9 May 2001 12:00:07 -0500 (CDT)


Pete Philips <pete () s3 integralis co uk> wrote asking:

[ ... Snip, "pass" rules ... ]

This works fine and no alerts are generated by these hosts
except when it is generated by http_decode such as:

May  9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected:
10.1.1.31:1312 -> 192.168.1.1:80

Is there a way to also silence these alerts for particular hosts?


So far as I know there isn't.  One can only turn off the unicode alerts
or turn them on.  It isn't possible to control the preprocessor with
respect to specific hosts.

Use the "-unicode" switch on the http_decode preprocessor line in the
configuration file to turn them off.  Remember to reset Snort to get it
to respond to your changes.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

http_decode alerts bypassing "pass" rules Pete Philips (May 09)
- Re: http_decode alerts bypassing "pass" rules Martin Roesch (May 22)
- <Possible follow-ups>
- Re: http_decode alerts bypassing "pass" rules Neil Dickey (May 09)