Snort mailing list archives
Re: Double Decoding Attack bad?
From: "Chris Libby" <chris.a.libby () gmail com>
Date: Thu, 15 Nov 2007 09:41:20 -0500
I had been getting alerts on this and various other HTTP_INSPECT attacks all the time. Most were from one internal computer to another (typically Word/Excel opening a document from Sharepoint), and a few from a Mail2Go package out to the Internet. Too many false positives to be useful. However, you may want to see what computers this is coming from and look at the traffic for yourself before you turn it off. On Nov 15, 2007 7:09 AM, The New York NOC Inc. <andy () thenynoc com> wrote:
Hey everyone, I get a lot of (http_inspect) Double Decoding Attack events. Is this bad? There isn't too much information on this so any help would be appreciated. Thanks Andy ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Chris Libby (chris.a.libby () gmail com)
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Double Decoding Attack bad? The New York NOC Inc. (Nov 15)
- Re: Double Decoding Attack bad? Chris Libby (Nov 15)
- Re: Double Decoding Attack bad? Joel Esler (Nov 15)
- Re: Double Decoding Attack bad? Chris Libby (Nov 15)