Snort mailing list archives
Excluding hosts from spp_unicode
From: John Bradberry <jbradberry () greentreegroup com>
Date: Fri, 10 May 2002 11:30:10 -0500
Hello: Background: Our team employs snort 1.8.6 (Build 105) with spp_unicode enabled. Our firewall address is 10.0.0.1. snort is run with the -F option calling this bpf: 'not src host 10.0.0.1 and not dst port 80' The config includes: preprocessor portscan-ignorehosts:[10.0.0.1/32] However, this configuration still results in spp_unicode alerts from outbound http traffic passing through our firewall [10.0.0.1]: May 10 11:07:37 sensor [110:4:1] spp_unidecode: Invalid Unicode String detected <fxp2> {TCP} 10.0.0.1:27659 -> external_host:80 Any idea on how to exclude a host from spp_unicode? I've read the FAQ and looked at spp_unicode.c with no additional clues. I've also tried several incantations of the bpf filter. Assistance is much appreciated. Thank you and best regards. -- John Bradberry 214.312.4449 The Greentree Group _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Excluding hosts from spp_unicode John Bradberry (May 11)