Re: spp_http_decode

[Vitaly Osipov <vosipov () wolfegroup ie>]

it's all because the unicode preprocessor is simply incorrectly written
- looks like it matches those unicode symbols in the whole load of the
packet, not in the URI part only, so it alerts on each more or less
complicated cookie, weird script parameter (the kind that is used for
session tracking for example.) I had a discussion about it with Fyodor
couple of weeks ago, so I hope it'll get fixed very soon.

regards,
Vitaly.



niko () digitalenigma com wrote:
>    I am getting many, many spp_http_decode (IIS Unicode attack detected &
> CGI Null Byte attack detected).  I know how to rid myself of these alerts
> by adding: preprocessor http_decode: 80 8080 -unicode -cginull
>
>   However, I am relectant to do this because I am not 100% sure what I am
> doing in this respect.  By disabling this feature, will I now miss any
> "real alerts"?  What are my options to minimize the amount of false alerts
> without compromising security?  Again, any info or suggestions are greatly
> apprteciated.
>
> Thanks,
>
> Bryan
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users