Snort mailing list archives
RE: spp_http_decode rules
From: "John Berkers" <berjo () ozemail com au>
Date: Sun, 12 Aug 2001 11:51:01 +1000
Ken, All alerts that start with a spp_ are generated by one of the Snort Pre Processors, there is no rule that triggers these. This doesn't mean that the packets are totally bogus, it means that the pre-processor has found something that it's been told to look for. In this case the http pre-processor is checking for the use of Unicode encoded URL's and Null bytes in CGI requests. Unicode is often used by hackers to defeat ../ checking by encoding it in double-byte characters. CGI Null byte attacks are used for similar purposes. I would suggest looking at the packet contents, you will likely find something along the lines of: GET /scripts/..%co%af../..%c0%af../winnt/system32/cmd.exe?/c+dir This is someone (or a script) trying to use the CMD.EXE on a microsoft IIS server. This attack also works against a number of other web servers, but these bugs have been patched in both IIS and Apache (if it ever existed in Apache). Most other vendors have also patched their products. The ISS Unicode attack detected message is extremely useful if you have some web servers whose patch level you are not sure of since you can spot an attack easily. If you decide that you want to turn these alerts off you can use the following syntax in snort.conf preprocessor httpdecode: 80 -cginull -unicode Hope that helps you. Regards, John Berkers berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ken Mencher Sent: Friday, 3 August 2001 7:55 To: Snort-Users (E-mail) Subject: [Snort-users] spp_http_decode rules I've got two of these category rules: CGI Null Byte attack & IIS Unicode attack as two of my most frequent "attacks". From what I've been able to determine, they're all totally bogus...but I can't find the .rules file where they exist... How do I disable those? Ken Mencher Network/Security Admin buy.com 949-389-2123 Cahn's Axiom: When all else fails, read the instructions. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_http_decode rules Ken Mencher (Aug 02)
- RE: spp_http_decode rules John Berkers (Aug 03)
- RE: spp_http_decode rules John Berkers (Aug 11)
- Re: spp_http_decode rules Erek Adams (Aug 11)
- <Possible follow-ups>
- RE: spp_http_decode rules Erickson Brent W KPWA (Aug 11)