RE: spp_http_decode rules

["Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>]

Hi Ken,

Your own internal users normal surfing can trigger these alerts in the
preprocessor. Netscape in particular has been known to trigger them.

Instead of disabling them,try a BPF filter to ignore your outbound http
traffic such as:

snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80)

This has worked very well for us over a period of 5-6 months and Snort is
still very able to decode actual and dangerous cgi null and unicode attacks
on our public web servers.

Hope this will help you.

Marty and other experienced Snort users told me how to do this quite
sometime ago and the credit is theirs. I just believe in sharing. I had the
same problem with normal outbound http triggering these alerts like big
time.

Brent Erickson


> -----Original Message-----
> From: Ken Mencher [SMTP:kenm () Buy com]
> Sent: Thursday, August 02, 2001 2:55 PM
> To:   Snort-Users (E-mail)
> Subject:      [Snort-users] spp_http_decode rules
>
> I've got two of these category rules: CGI Null Byte attack & IIS Unicode
> attack as two of my most frequent "attacks".  From what I've been able to
> determine, they're all totally bogus...but I can't find the .rules file
> where they exist...
>  
> How do I disable those?
>  
> Ken Mencher
> Network/Security Admin
> buy.com
> 949-389-2123 
>
> Cahn's Axiom: When all else fails, read the instructions. 
>  


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users