Snort mailing list archives

Re: spp_http_decode rules

From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 11 Aug 2001 22:18:08 -0700 (PDT)

On Thu, 2 Aug 2001, Ken Mencher wrote:

I've got two of these category rules: CGI Null Byte attack & IIS Unicode
attack as two of my most frequent "attacks".  From what I've been able to
determine, they're all totally bogus...but I can't find the .rules file
where they exist...


The don't live in the rules.  :)  Use the source, Luke!

---
[erek@foofusbunny]/local/build/cvs/snort#egrep -n "CGI|UNICODE" *decode*.{c,h}
spp_http_decode.c:35: * a "-cginull" disables the CGI NULL check that is
enabled by default
spp_http_decode.c:61:#define NOUNICODE "-unicode"
spp_http_decode.c:62:#define NOCGINULL "-cginull"
spp_http_decode.c:182:        if(!strncasecmp(NOUNICODE, toks[num], sizeof
NOUNICODE))
spp_http_decode.c:186:        else if(!strncasecmp(NOCGINULL, toks[num],
sizeof NOCGINULL))
spp_http_decode.c:408:
HTTP_DECODE_UNICODE_ATTACK, 1, 0, 0, 0);
spp_http_decode.c:419:                                MODNAME ": CGI Null byte
attack detected");
spp_http_decode.c:421:
HTTP_DECODE_CGINULL_ATTACK, 1, 0, 0, 0);
spp_unidecode.c:26:*   Checks for NULL CGI and Unicode Directory Trans
spp_unidecode.c:38:#define NOCGINULL "-cginull"
spp_unidecode.c:39:#define NOUNICODE "-unicode"
spp_unidecode.c:140:        if(!strncmp(NOUNICODE, toks[num], sizeof
NOUNICODE))
spp_unidecode.c:144:        else if(!strncmp(NOCGINULL, toks[num], sizeof
NOCGINULL))
spp_unidecode.c:479:                    MODNAME ": CGI Null Byte attack
detected");
spp_unidecode.c:482:                UNIDECODE_CGINULL_ATTACK, 1, 0, 0, 0);
[erek@foofusbunny]/local/build/cvs/snort#
---

How do I disable those?


Update!  :)  If I'm guessing you're using an older build of snort where the
http_decode and unidecode preprocs were a bit noisy.

Go grab the nightly tarball from CVS at:

  http://snort.sourceforge.net/snort-daily.tar.gz

Or follow the CVS instructions from http://www.snort.org/cvs_information.html

It _really_ does help make all that go away!  Besides, it's fun out here on
the bleeding edge!  ;-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_http_decode rules Ken Mencher (Aug 02)
- RE: spp_http_decode rules John Berkers (Aug 03)
- RE: spp_http_decode rules John Berkers (Aug 11)
- Re: spp_http_decode rules Erek Adams (Aug 11)
- <Possible follow-ups>
- RE: spp_http_decode rules Erickson Brent W KPWA (Aug 11)