Snort mailing list archives

Re: sadmind rule

From: Andrew Daviel <andrew () andrew triumf ca>
Date: Wed, 9 May 2001 12:48:53 -0700 (PDT)

On Wed, 9 May 2001, Max Vision wrote:

The NT/IIS attacks will be seen by IDS433:
 http://whitehats.com/info/IDS433  (http-iis-unicode-traversal-optyx)


Not if the HTTP preprocessor is enabled - which for me gives
way too many "spp_http_decode: IIS Unicode attack detected " to
believe.

The IDS433 rule doesn't seem to be in the ruleset I was running (Jan 18
2001 probably) or in the "current" 1.7 snortrules.tar.gz" I just
downloaded.



-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security () triumf ca


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Max Vision (May 09)
  - Re: sadmind rule Andrew Daviel (May 09)
    - Re: sadmind rule Andreas Östling (May 09)
- Re: sadmind rule Andreas Östling (May 09)
  - Re: sadmind rule Chris Green (May 09)
- <Possible follow-ups>
- RE: SadMind rule Steve Halligan (May 09)
  - snortsnarf Aaron McKinnon (May 09)
- Re: sadmind rule Polar Bear (May 09)