Snort mailing list archives
IIS Unicode Attack-Code
From: Olaf Gellert <gellert () pca dfn de>
Date: Fri, 1 Jun 2001 13:01:13 +0200
Hi, I have many false positives on the "IIS Unicode attack". Looking into spp_http_decode.c I find that the module matches %FC in the URL. Is this necessary? I know of %C0, %C1 and %C9 (backslash, slash etc). But %FC is the german characte u_umlaut, which is very common in german URLs (especially those for search engines). Just a question. Didn't find anythign on whitehats.com. Thanx for any explanation. Olaf -- Olaf Gellert mailto:gellert () pca dfn de ---------------------------------------------------------------- DFN-PCA: Eine Arbeitsgruppe der DFN-CERT GmbH Oberstr. 14b http://www.pca.dfn.de/ D-20144 Hamburg, Germany +49.40.808077-555 / Fax: -556 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IIS Unicode Attack-Code Olaf Gellert (Jun 01)