Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Excluding hosts from spp_unicode

From: John Bradberry <jbradberry () greentreegroup com>
Date: Fri, 10 May 2002 11:30:10 -0500
Hello:

Background:

Our team employs snort 1.8.6 (Build 105) with spp_unicode enabled.

Our firewall address is 10.0.0.1.

snort is run with the -F option calling this bpf:

'not src host 10.0.0.1 and not dst port 80'

The config includes:
preprocessor portscan-ignorehosts:[10.0.0.1/32]

However, this configuration still results in spp_unicode alerts from outbound http traffic
passing through our firewall [10.0.0.1]:

May 10 11:07:37 sensor [110:4:1] spp_unidecode: Invalid Unicode String detected <fxp2>
{TCP} 10.0.0.1:27659 -> external_host:80

Any idea on how to exclude a host from spp_unicode?  I've read the FAQ and looked at
spp_unicode.c with no additional clues.  I've also tried several incantations of the bpf
filter.  Assistance is much appreciated.

Thank you and best regards.

--
John Bradberry
214.312.4449
The Greentree Group




_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: