Snort mailing list archives
no more "unicode attack detected" alerts
From: "Gary Merrick" <gary.merrick () earthlink net>
Date: Sat, 25 Jan 2003 14:08:21 -0800
Since upgrading from Snort 1.8.7 to 1.9.0, I've stopped getting the "unicode attack detected" alerts that I'm used to seeing. My Apache web logs show the Code Red or Nimda worms are still connecting, but Snort doesn't seem to detect it. I have the web-iis.rules module enabled. And I'm getting other types of alerts, so my network variables seem to be OK. The new 1.9.0 config file includes some new http decode stuff, and I've tried using it as such (below), or commenting it out completely, neither way gets me the unicode alerts. preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace I know I'm overlooking something, and was hoping somebody out there could help point it out. TIA! Gary ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- no more "unicode attack detected" alerts Gary Merrick (Jan 25)