Snort mailing list archives

Previous By Date Next
Previous By Thread Next

spp_http_decode: CGI Null Byte attack detected

From: nowhere <nowhere () tear com>
Date: Tue, 03 Jul 2001 14:21:01 -0700
I am getting hits for "spp_http_decode: CGI Null Byte attack detected"
for traffic to a vendor's web site.  I've looked over the packet, and
sure enough, the vendor is using a %00 as part of their form data.
This traffic from an internal host to the vendor's site, and I'm sure
it's not a hacker.

How can I avoid this false positive?   A reference that describes the
spp stuff would be great too.

I'm on Snort-1.7 with the most recent packet rules.

Thanks!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: