Snort mailing list archives
Re: IIS Unicode attack detected
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Sun, 12 Aug 2001 16:58:42 -0700 (PDT)
On Sat, 17 Mar 2001, Andrew R. Baker wrote:
And in 1.7.1 (which is still in beta). You can hace the http_decode processor ignore certain hosts.
Me, too. (an IT cartoon recently suggested a filter for this in outgoing mail :-) ) I have also seen many false positives on this and afaik no real alerts. Playing with code red rules recently I dumped some data and can say yes, it looks like a Japanese user using a search engine, e.g. GET /intl/ja/images/Title_Lef.gif HTTP/1.0 If-Modified-Since: Tue, 21 Nov 20 16:20:07 GMT; length=4841 Referer: http://www.google.com/search?q=.....s.R.%EC%95s%97R%94%FC&hl=ja&lr=lang_ja Connection: Keep-Alive etc. We don't have just one Asian user, and they don't all go to the same site, so ignoring a host or two isn't going to help. Is it not possible to trigger on real exploits and not just someone using Unicode ? Andrew Daviel TRIUMF _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: IIS Unicode attack detected Andrew Daviel (Aug 12)
- RE: IIS Unicode attack detected John Berkers (Aug 13)