Snort mailing list archives

Re: spp_unicode exploits

From: John Sage <jsage () finchhaven com>
Date: Mon, 26 Nov 2001 06:28:40 -0800

Tom:

I believe that is handled in snort.conf:

# unidecode: normalize HTTP/detect UNICODE attacks
# ------------------------------------------------
# Works much the same as http_decode, but does a better
# job of categorizing and identifying UNICODE attacks,
# recommended as a potential replacement for http_decode.

preprocessor unidecode: 80 -unicode -cginull

#


..and not by any specific rule.

This is similar to the stream4 preprocessor, which people see but oftencan't quickly figure out why:

# memcap [number] - limit stream4 memory usage to [number] bytespreprocessor


stream4: detect_scans, detect_state_problems

#



HTH..

- John


Tom Fischer wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
snort detects several outgoing unicode exploits (all false positives) but ididn't define it in any rule. I'm using demarc for monitoring. grepping thruthe ruleset and the sources result in nothing.
Where can i find it?

Thx

Tom
- --Tom Fischer ABH Marketingservice GmbH
System Administrator            Weisshaustraße 23a
Tel: 0221-94400446              50939 Köln      
http://www.abh.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwCOZQACgkQwafQrcfco8HB3QCgkzX1rTnOkTKNgyuDIYuRwgAa
TkgAnRbvLHJp6ncWys3GxnmKFVMI1XdS
=lzFc
-----END PGP SIGNATURE-----






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_unicode exploits Tom Fischer (Nov 26)
- Re: spp_unicode exploits John Sage (Nov 26)