no more "unicode attack detected" alerts

["Gary Merrick" <gary.merrick () earthlink net>]

Since upgrading from Snort 1.8.7 to 1.9.0, I've stopped getting the
"unicode attack detected" alerts that I'm used to seeing.  My Apache web
logs show the Code Red or Nimda worms are still connecting, but Snort
doesn't seem to detect it.

I have the web-iis.rules module enabled.  And I'm getting other types of
alerts, so my network variables seem to be OK.  The new 1.9.0 config
file includes some new http decode stuff, and I've tried using it as
such (below), or commenting it out completely, neither way gets me the
unicode alerts.

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

I know I'm overlooking something, and was hoping somebody out there
could help point it out.

TIA!
Gary



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users