RE: spp_http_decode rules

["John Berkers" <berjo () ozemail com au>]

The reason you can't find them is that they're actually generated by a
preprocessor (http_decode).  The http_decode preprocessor normalises any
unicode representations of characters and then passes them back to snort for
matching against rules.  If a particular pattern of unicode characters is
detected the ISS Unicode attack event is logged. (no, that's not a spelling
error, it doesn't only affect MS IIS, the vuln was first discovered by ISS
guys).

You can turn them off by specifying -unicode and -cginull after the
http_decode thusly:

preprocessor http_decode: 80 -unicode -cginull

These events are sometimes triggered by visiting sites that use multi-byte
characters such as Simplified Chinese etc.

Regards,
John Berkers
berjo () ozemail com au
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ken Mencher
Sent: Friday, 3 August 2001 7:55
To: Snort-Users (E-mail)
Subject: [Snort-users] spp_http_decode rules


I've got two of these category rules: CGI Null Byte attack & IIS Unicode
attack as two of my most frequent "attacks".  From what I've been able to
determine, they're all totally bogus...but I can't find the .rules file
where they exist...

How do I disable those?

Ken Mencher
Network/Security Admin
buy.com
949-389-2123
Cahn's Axiom: When all else fails, read the instructions.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users