Snort mailing list archives
Re: spp_unicode exploits
From: John Sage <jsage () finchhaven com>
Date: Mon, 26 Nov 2001 06:28:40 -0800
Tom: I believe that is handled in snort.conf: # unidecode: normalize HTTP/detect UNICODE attacks # ------------------------------------------------ # Works much the same as http_decode, but does a better # job of categorizing and identifying UNICODE attacks, # recommended as a potential replacement for http_decode. preprocessor unidecode: 80 -unicode -cginull # ..and not by any specific rule.This is similar to the stream4 preprocessor, which people see but often can't quickly figure out why:
# memcap [number] - limit stream4 memory usage to [number] bytes preprocessor
stream4: detect_scans, detect_state_problems # HTH.. - John Tom Fischer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,snort detects several outgoing unicode exploits (all false positives) but i didn't define it in any rule. I'm using demarc for monitoring. grepping thru the ruleset and the sources result in nothing.Where can i find it? Thx Tom- -- Tom Fischer ABH Marketingservice GmbHSystem Administrator Weisshaustraße 23a Tel: 0221-94400446 50939 Köln http://www.abh.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwCOZQACgkQwafQrcfco8HB3QCgkzX1rTnOkTKNgyuDIYuRwgAa TkgAnRbvLHJp6ncWys3GxnmKFVMI1XdS =lzFc -----END PGP SIGNATURE-----
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_unicode exploits Tom Fischer (Nov 26)
- Re: spp_unicode exploits John Sage (Nov 26)