Snort mailing list archives
Re: Double Decoding Attack bad?
From: Joel Esler <joel.esler () sourcefire com>
Date: Thu, 15 Nov 2007 09:54:16 -0500
http_inspect alerts are important. They aren't false positives, they are actually triggering on traffic, you just may not understand what is going on in the traffic. 1) Set your variables. HOME_NET, HTTP_SERVERS, etc... should all be set to what is relevant in your network. 2) Tune your web servers that are protected by Snort in a line by line basis in your http_inspect preprocessor. Use your profiles. (iis, apache, etc) This is key. Then suppress what you need to. However, just because alerts are coming from a preprocessor doesn't mean they are any less important then the rules. These are all alerts that still need to be reviewed. J On Thu, Nov 15, 2007 at 09:41:20AM -0500, it looks like Chris Libby sent me:
I had been getting alerts on this and various other HTTP_INSPECT attacks all the time. Most were from one internal computer to another (typically Word/Excel opening a document from Sharepoint), and a few from a Mail2Go package out to the Internet. Too many false positives to be useful. However, you may want to see what computers this is coming from and look at the traffic for yourself before you turn it off. On Nov 15, 2007 7:09 AM, The New York NOC Inc. <[1]andy () thenynoc com> wrote: Hey everyone, I get a lot of (http_inspect) Double Decoding Attack events. Is this bad? There isn't too much information on this so any help would be appreciated. Thanks Andy ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> [2]http://get.splunk.com/ _______________________________________________ Snort-users mailing list [3]Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: [4]https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: [5]http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Chris Libby ([6]chris.a.libby () gmail com) References Visible links 1. mailto:andy () thenynoc com 2. http://get.splunk.com/ 3. mailto:Snort-users () lists sourceforge net 4. https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users 5. http://www.geocrawler.com/redir-sf.php3?list=snort-users 6. mailto:chris.a.libby () gmail com
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
----- joel esler D4E0 D59F D2C2 234E 6CEF 05E7 29B0 92C9 71DC 92DE ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Double Decoding Attack bad? The New York NOC Inc. (Nov 15)
- Re: Double Decoding Attack bad? Chris Libby (Nov 15)
- Re: Double Decoding Attack bad? Joel Esler (Nov 15)
- Re: Double Decoding Attack bad? Chris Libby (Nov 15)