Snort mailing list archives
Re: spp_http_decode rules
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 11 Aug 2001 22:18:08 -0700 (PDT)
On Thu, 2 Aug 2001, Ken Mencher wrote:
I've got two of these category rules: CGI Null Byte attack & IIS Unicode attack as two of my most frequent "attacks". From what I've been able to determine, they're all totally bogus...but I can't find the .rules file where they exist...
The don't live in the rules. :) Use the source, Luke! --- [erek@foofusbunny]/local/build/cvs/snort#egrep -n "CGI|UNICODE" *decode*.{c,h} spp_http_decode.c:35: * a "-cginull" disables the CGI NULL check that is enabled by default spp_http_decode.c:61:#define NOUNICODE "-unicode" spp_http_decode.c:62:#define NOCGINULL "-cginull" spp_http_decode.c:182: if(!strncasecmp(NOUNICODE, toks[num], sizeof NOUNICODE)) spp_http_decode.c:186: else if(!strncasecmp(NOCGINULL, toks[num], sizeof NOCGINULL)) spp_http_decode.c:408: HTTP_DECODE_UNICODE_ATTACK, 1, 0, 0, 0); spp_http_decode.c:419: MODNAME ": CGI Null byte attack detected"); spp_http_decode.c:421: HTTP_DECODE_CGINULL_ATTACK, 1, 0, 0, 0); spp_unidecode.c:26:* Checks for NULL CGI and Unicode Directory Trans spp_unidecode.c:38:#define NOCGINULL "-cginull" spp_unidecode.c:39:#define NOUNICODE "-unicode" spp_unidecode.c:140: if(!strncmp(NOUNICODE, toks[num], sizeof NOUNICODE)) spp_unidecode.c:144: else if(!strncmp(NOCGINULL, toks[num], sizeof NOCGINULL)) spp_unidecode.c:479: MODNAME ": CGI Null Byte attack detected"); spp_unidecode.c:482: UNIDECODE_CGINULL_ATTACK, 1, 0, 0, 0); [erek@foofusbunny]/local/build/cvs/snort# ---
How do I disable those?
Update! :) If I'm guessing you're using an older build of snort where the http_decode and unidecode preprocs were a bit noisy. Go grab the nightly tarball from CVS at: http://snort.sourceforge.net/snort-daily.tar.gz Or follow the CVS instructions from http://www.snort.org/cvs_information.html It _really_ does help make all that go away! Besides, it's fun out here on the bleeding edge! ;-) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_http_decode rules Ken Mencher (Aug 02)
- RE: spp_http_decode rules John Berkers (Aug 03)
- RE: spp_http_decode rules John Berkers (Aug 11)
- Re: spp_http_decode rules Erek Adams (Aug 11)
- <Possible follow-ups>
- RE: spp_http_decode rules Erickson Brent W KPWA (Aug 11)