Snort mailing list archives
Re: your mail
From: gary douglas <GM-Douglas () wiu edu>
Date: Wed, 18 Oct 2006 12:38:36 -0500
I also get a ton of these. I suppress them with the following. I have it in a threshold.conf file that is referenced in the bottom of the snort.conf
# stop (http_inspect) double decoding attack alerts. suppress gen_id 119, sig_id 2I wish there was a central location to get the gen_id of the all the different processes. So far I have found the following.
portscan = 122 http_inspect = 119 spp_frag3 = 123 Thank you Gary Douglas On Oct 18, 2006, at 10:22 AM, Phil Wood wrote:
Could it be that your users are attacking websites? On Wed, Oct 18, 2006 at 03:19:51PM +0000, Julien VARLET wrote:I have these problems when my users browse websites, so I cannot tunned it.-------- Original Message --------Subject: Re: [Snort-users] DOUBLE DECODING ATTACK (13-oct.-2006 12:46)From: Joel Esler <joel.esler () sourcefire com> To: jvarlet () aressi frHave you tuned your http_inspect_server lines to accurately reflect your http servers? J On Oct 13, 2006, at 6:12 AM, Julien VARLET wrote:Hi, I get a lot of DOUBLE DECODING ATTACK when http preprocessor is active, but it is only false positives... I do not want to desactivate http preprocessor. How can I do ? Thanks. To: snort.user () gmail com snort-users () lists sourceforge net snort-devel () lists sourceforge net------------------------------------------------------------------- ------ Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users+------------------------------------------------------------------- --+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http:// www.sourcefire.comSnort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj+------------------------------------------------------------------- --+-------------------------------------------------------------------- ----- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your jobeasierDownload IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood (cpw_at-sign_lanl.gov)---------------------------------------------------------------------- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re-2: DOUBLE DECODING ATTACK Julien VARLET (Oct 18)
- Re: your mail Phil Wood (Oct 18)
- Re: your mail gary douglas (Oct 18)
- Re: your mail - gen id location Todd Wease (Oct 18)
- Re: your mail - gen id location Nigel Houghton (Oct 18)
- Re: your mail gary douglas (Oct 18)
- Re: your mail Phil Wood (Oct 18)