Snort mailing list archives

Previous By Date Next
Previous By Thread Next

IIS Unicode Attack-Code

From: Olaf Gellert <gellert () pca dfn de>
Date: Fri, 1 Jun 2001 13:01:13 +0200
Hi,

I have many false positives on the "IIS Unicode attack".
Looking into spp_http_decode.c I find that the module
matches %FC in the URL. Is this necessary? I know of
%C0, %C1 and %C9 (backslash, slash etc). But %FC is
the german characte u_umlaut, which is very common
in german URLs (especially those for search engines).

Just a question. Didn't find anythign on whitehats.com.
Thanx for any explanation.
Olaf


-- 
Olaf Gellert                           mailto:gellert () pca dfn de
----------------------------------------------------------------
DFN-PCA:                    Eine Arbeitsgruppe der DFN-CERT GmbH
Oberstr. 14b                              http://www.pca.dfn.de/
D-20144 Hamburg, Germany           +49.40.808077-555 / Fax: -556


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: