Snort mailing list archives
RE: spp_http_decode rules
From: "John Berkers" <berjo () ozemail com au>
Date: Fri, 3 Aug 2001 19:01:13 +1000
The reason you can't find them is that they're actually generated by a preprocessor (http_decode). The http_decode preprocessor normalises any unicode representations of characters and then passes them back to snort for matching against rules. If a particular pattern of unicode characters is detected the ISS Unicode attack event is logged. (no, that's not a spelling error, it doesn't only affect MS IIS, the vuln was first discovered by ISS guys). You can turn them off by specifying -unicode and -cginull after the http_decode thusly: preprocessor http_decode: 80 -unicode -cginull These events are sometimes triggered by visiting sites that use multi-byte characters such as Simplified Chinese etc. Regards, John Berkers berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ken Mencher Sent: Friday, 3 August 2001 7:55 To: Snort-Users (E-mail) Subject: [Snort-users] spp_http_decode rules I've got two of these category rules: CGI Null Byte attack & IIS Unicode attack as two of my most frequent "attacks". From what I've been able to determine, they're all totally bogus...but I can't find the .rules file where they exist... How do I disable those? Ken Mencher Network/Security Admin buy.com 949-389-2123 Cahn's Axiom: When all else fails, read the instructions. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_http_decode rules Ken Mencher (Aug 02)
- RE: spp_http_decode rules John Berkers (Aug 03)
- RE: spp_http_decode rules John Berkers (Aug 11)
- Re: spp_http_decode rules Erek Adams (Aug 11)
- <Possible follow-ups>
- RE: spp_http_decode rules Erickson Brent W KPWA (Aug 11)