Re: Double Decoding Attack bad?

[Joel Esler <joel.esler () sourcefire com>]

http_inspect alerts are important.

They aren't false positives, they are actually triggering on traffic, you just may not understand what is going on in 
the traffic.

1)  Set your variables.  HOME_NET, HTTP_SERVERS, etc...  should all be set to what is relevant in your network.
2)  Tune your web servers that are protected by Snort in a line by line basis in your http_inspect preprocessor.  Use 
your profiles.  (iis, apache, etc) This is key.

Then suppress what you need to.  However, just because alerts are coming from a preprocessor doesn't mean they are any 
less important then the rules.  These are all alerts that still need to be reviewed.

J 


On Thu, Nov 15, 2007 at 09:41:20AM -0500, it looks like Chris Libby sent me:
>    I had been getting alerts on this and various other HTTP_INSPECT attacks
>    all the time.  Most were from one internal computer to another (typically
>    Word/Excel opening a document from Sharepoint), and a few from a Mail2Go
>    package out to the Internet.  Too many false positives to be useful.
>    However, you may want to see what computers this is coming from and look
>    at the traffic for yourself before you turn it off.
>
>    On Nov 15, 2007 7:09 AM, The New York NOC Inc. <[1]andy () thenynoc com>
>    wrote:
>
>      Hey everyone,
>
>      I get a lot of (http_inspect) Double Decoding Attack  events.  Is this
>      bad?  There isn't too much information on this so any help would be
>      appreciated.
>
>      Thanks
>      Andy
>
>
>      -------------------------------------------------------------------------
>      This SF.net email is sponsored by: Splunk Inc.
>      Still grepping through log files to find problems?  Stop.
>      Now Search log events and configuration files using AJAX and a browser.
>      Download your FREE copy of Splunk now >> [2]http://get.splunk.com/
>      _______________________________________________
>      Snort-users mailing list
>      [3]Snort-users () lists sourceforge net
>      Go to this URL to change user options or unsubscribe:
>      [4]https://lists.sourceforge.net/lists/listinfo/snort-users
>      Snort-users list archive:
>      [5]http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>    --
>    Chris Libby ([6]chris.a.libby () gmail com)
>
> References
>
>    Visible links
>    1. mailto:andy () thenynoc com
>    2. http://get.splunk.com/
>    3. mailto:Snort-users () lists sourceforge net
>    4. https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users
>    5. http://www.geocrawler.com/redir-sf.php3?list=snort-users
>    6. mailto:chris.a.libby () gmail com

> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/

> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users







-----
joel esler 
D4E0 D59F D2C2 234E 6CEF  05E7 29B0 92C9 71DC 92DE

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users