Snort mailing list archives
RE: Not feeling the LOVE
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Mon, 4 Mar 2002 14:05:40 -0500
Have you set the -cginull switch in your snort.conf file? And have you considered running http_decode instead of unidecode? -----Original Message----- From: Ben Keepper [mailto:bkeepper () Paladinss com] Sent: Monday, March 04, 2002 1:56 PM To: snort-users () lists sourceforge net Cc: DEMARC-Users () demarc org Subject: [Snort-users] Not feeling the LOVE I have posted several times all over webdom and have not recieved a single reply to this question: "I posted this to the snort users list. No replies. I don't think it is a stupid question and it is not covered in the documentation. I am getting a lot of spp_unidecode (mostly CGI null byte attack)false postives originating from my firewall NAT address going ONLY to specific web sites (ingrammicro and compaq to be specific). How can I eliminate these false positives. Obviously normal rule modifications won't work because this is a preprocessor. ANY help would be appreciated." If everybody is ignoring because this is covered in the documentation, please be helpful and point me to spot. I can't believe I am the only having this issue. Once again, any help (or thoughts would be appreciated), Thanks, Ben Jz+ꮮXX)Ȯz%lqzѨa.Ѩz.m좻rzm+-.ﭭǟ+-b벲~잊ͺ)Ȯz%Zb彽mﶟ z+k ^&kw+- ۬ Jz+���ɚ�X��X��)��۬z�%��l���q����zѨ��a��.����z���m��좻����r��zm����+-��.�ǟ�����+-��b�ا~�잊��ǫ�)��۬z�%��Z��b��m���� z�+k ^��&������w�+-
Current thread:
- Not feeling the LOVE Ben Keepper (Mar 04)
- Re: Not feeling the LOVE Erek Adams (Mar 04)
- Re: Not feeling the LOVE John Sage (Mar 04)
- Re: Not feeling the LOVE Matt Kettler (Mar 04)
- <Possible follow-ups>
- RE: Not feeling the LOVE McCammon, Keith (Mar 04)