Snort mailing list archives
RE: spp_http_decode rules
From: "Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>
Date: Sat, 11 Aug 2001 21:12:59 -0700
Hi Ken, Your own internal users normal surfing can trigger these alerts in the preprocessor. Netscape in particular has been known to trigger them. Instead of disabling them,try a BPF filter to ignore your outbound http traffic such as: snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80) This has worked very well for us over a period of 5-6 months and Snort is still very able to decode actual and dangerous cgi null and unicode attacks on our public web servers. Hope this will help you. Marty and other experienced Snort users told me how to do this quite sometime ago and the credit is theirs. I just believe in sharing. I had the same problem with normal outbound http triggering these alerts like big time. Brent Erickson
-----Original Message----- From: Ken Mencher [SMTP:kenm () Buy com] Sent: Thursday, August 02, 2001 2:55 PM To: Snort-Users (E-mail) Subject: [Snort-users] spp_http_decode rules I've got two of these category rules: CGI Null Byte attack & IIS Unicode attack as two of my most frequent "attacks". From what I've been able to determine, they're all totally bogus...but I can't find the .rules file where they exist... How do I disable those? Ken Mencher Network/Security Admin buy.com 949-389-2123 Cahn's Axiom: When all else fails, read the instructions.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_http_decode rules Ken Mencher (Aug 02)
- RE: spp_http_decode rules John Berkers (Aug 03)
- RE: spp_http_decode rules John Berkers (Aug 11)
- Re: spp_http_decode rules Erek Adams (Aug 11)
- <Possible follow-ups>
- RE: spp_http_decode rules Erickson Brent W KPWA (Aug 11)