Snort mailing list archives
Re: http_decode alerts bypassing "pass" rules
From: Neil Dickey <neil () geol niu edu>
Date: Wed, 9 May 2001 12:00:07 -0500 (CDT)
Pete Philips <pete () s3 integralis co uk> wrote asking: [ ... Snip, "pass" rules ... ]
This works fine and no alerts are generated by these hosts except when it is generated by http_decode such as: May 9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected: 10.1.1.31:1312 -> 192.168.1.1:80 Is there a way to also silence these alerts for particular hosts?
So far as I know there isn't. One can only turn off the unicode alerts or turn them on. It isn't possible to control the preprocessor with respect to specific hosts. Use the "-unicode" switch on the http_decode preprocessor line in the configuration file to turn them off. Remember to reset Snort to get it to respond to your changes. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http_decode alerts bypassing "pass" rules Pete Philips (May 09)
- Re: http_decode alerts bypassing "pass" rules Martin Roesch (May 22)
- <Possible follow-ups>
- Re: http_decode alerts bypassing "pass" rules Neil Dickey (May 09)