Snort mailing list archives
Re: spp_http_decode
From: Vitaly Osipov <vosipov () wolfegroup ie>
Date: Tue, 03 Jul 2001 10:13:01 +0100
it's all because the unicode preprocessor is simply incorrectly written - looks like it matches those unicode symbols in the whole load of the packet, not in the URI part only, so it alerts on each more or less complicated cookie, weird script parameter (the kind that is used for session tracking for example.) I had a discussion about it with Fyodor couple of weeks ago, so I hope it'll get fixed very soon. regards, Vitaly. niko () digitalenigma com wrote:
I am getting many, many spp_http_decode (IIS Unicode attack detected & CGI Null Byte attack detected). I know how to rid myself of these alerts by adding: preprocessor http_decode: 80 8080 -unicode -cginull However, I am relectant to do this because I am not 100% sure what I am doing in this respect. By disabling this feature, will I now miss any "real alerts"? What are my options to minimize the amount of false alerts without compromising security? Again, any info or suggestions are greatly apprteciated. Thanks, Bryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_http_decode niko (Jul 02)
- Re: spp_http_decode Blake Frantz (Jul 02)
- using snort without an IP Addy Frontgate Lab (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: using snort without an IP Addy Frontgate Lab (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: spp_http_decode Vitaly Osipov (Jul 03)