Snort mailing list archives

spp_http_decode

From: niko () digitalenigma com
Date: Mon, 2 Jul 2001 14:16:29 -0400 (EDT)


   I am getting many, many spp_http_decode (IIS Unicode attack detected &
CGI Null Byte attack detected).  I know how to rid myself of these alerts
by adding: preprocessor http_decode: 80 8080 -unicode -cginull

  However, I am relectant to do this because I am not 100% sure what I am
doing in this respect.  By disabling this feature, will I now miss any
"real alerts"?  What are my options to minimize the amount of false alerts
without compromising security?  Again, any info or suggestions are greatly
apprteciated.

Thanks,

Bryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_http_decode niko (Jul 02)
- Re: spp_http_decode Blake Frantz (Jul 02)
- using snort without an IP Addy Frontgate Lab (Jul 02)
  - Re: using snort without an IP Addy Blake Frantz (Jul 02)
    - Re: using snort without an IP Addy Frontgate Lab (Jul 02)
    - Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: spp_http_decode Vitaly Osipov (Jul 03)