Snort mailing list archives
Re: Not feeling the LOVE
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 04 Mar 2002 17:13:51 -0500
Actually I do have Ben's original post about the topic still in my inbox, it was dated mid February, and is not mangled, but was mime-converted by my mailserver (from quoted printable, but his most recent post was converted from base64).
The original message has these relevant headers (among others) Date: Mon, 18 Feb 2002 11:29:39 -0800 Content-Transfer-Encoding: 8bit Subject: [Snort-users] spp_unidecode false positivebasicaly he comments that these alerts are going off for packets from his network heading to compaq and ingram micro websites.. Sounds like compaq and ingram (amongst many others) use submissions that contain all kinds of wacky byte patterns. I've found these alerts to be quite noisy myself.
As for what to do about the "false" positives, I personally use http_decode with those particular alerts disabled (as someone else already suggested). The webserver I'm protecting is fairly minimal and has no CGIs running on it, so these aren't really a major concern to me. From what I understand unidecode is still a bit on the experimental side anyway..
preprocessor http_decode: 80 -unicode -cginull <comment block> # preprocessor unidecode: 80 -unicode -cginullI would only consider turning these on for a snort box which will only see traffic which is bound for your webserver, it's just too noisy if client PCs are in the traffic.
At 01:13 PM 3/4/2002 -0800, John Sage wrote:
On Mon, Mar 04, 2002 at 10:56:11AM -0800, Ben Keepper wrote: > I have posted several times all over webdom and have not recieved a > single reply to this question: That's funny.. I have about 370 emails in my mbox, and when I sort by sender name, your name comes only once, on this post...> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÒíþë®ÉX§X¬µ)è®ßî±êìþX¬¶Ïì¢êÜyú+ïçzѨ¶aÅ.Ú ©àzë®m좻§²æìr¸{øm¶ÿÿùb²Ûÿ²«qçè®ÿë+-³ùb²Ø§~ìíþë®Ä§¢»ÿºÇ«²X¬µªÜ+Þþm§ÿÿÃÿê¬%z¿Ü¢oëyØ«þÇÿ¦wþX¬¢»ÿºÇ«What? - John
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Not feeling the LOVE Ben Keepper (Mar 04)
- Re: Not feeling the LOVE Erek Adams (Mar 04)
- Re: Not feeling the LOVE John Sage (Mar 04)
- Re: Not feeling the LOVE Matt Kettler (Mar 04)
- <Possible follow-ups>
- RE: Not feeling the LOVE McCammon, Keith (Mar 04)