Re: Not feeling the LOVE

[Erek Adams <erek () theadamsfamily net>]

On Mon, 4 Mar 2002, Ben Keepper wrote:

> I have posted several times all over webdom and have not recieved a
> single reply to this question:
>
> "I posted this to the snort users list. No replies. I don't think it is
> a stupid question and it is not covered in the documentation.
> I am getting a lot of spp_unidecode (mostly CGI null byte attack)false
> postives originating from my firewall NAT address going ONLY to specific
> web sites (ingrammicro and compaq to be specific).
> How can I eliminate these false positives. Obviously normal rule
> modifications won't work because this is a preprocessor.
> ANY help would be appreciated."
>
> If everybody is ignoring because this is covered in the documentation,
> please be helpful and point me to spot.

Nope, that's not it.  I just really don't have a good answer for you since
I've never seen this.

> I can't believe I am the only having this issue.

Well...  You could be.  Many devices have really funky TCP/IP stacks.  If your
device has something odd and/or isn't fully configed then it could cause this.
Since it's just those two sites, I'd bet they are behind some sort of load
balancer device.  Perhaps the same one at both places....

> Once again, any help (or thoughts would be appreciated),

Well, my suggestion would be to read the .conf file.  :)  In there I find the
following sections:

# http_decode: normalize HTTP requests
# ------------------------------------
[...snip...]
# You may also specify -unicode to turn off detection of
# UNICODE directory traversal, etc attacks.  Use -cginull to
# turn off detection of CGI NULL code attacks.

preprocessor http_decode: 80 -unicode -cginull


# unidecode: normalize HTTP/detect UNICODE attacks
# ------------------------------------------------
# Works much the same as http_decode, but does a better
# job of categorizing and identifying UNICODE attacks,
# recommended as a potential replacement for http_decode.

# preprocessor unidecode: 80 -unicode -cginull

> From reading that, I assume that since you're seeing these errors, you've
uncommented unidecode and removed the -cginull flag.  Since the switches work
the same way as http_decode, try adding the -cginull switch back onto that
command line.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users