Snort mailing list archives

how to get "unicode attack detected" alerts?

From: "Gary Merrick" <gary.merrick () earthlink net>
Date: Fri, 7 Feb 2003 09:24:01 -0800

Snort 1.9.0 doesn't trigger alerts when unicode attacks occur.  My Apache web
logs show the Code Red or Nimda worms are connecting, and the web.iis rules is
enabled.  Other alerts are coming through, so there is at least some level of
proper configuration.  Here's my http_decode statement in the conf file:

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

So what would be keeping the unicode attack detected alerts from coming through?
Is everybody else out there getting them under Snort 1.9.0?

Any pointers would be very much appreciated.

Thanks in advance,
Gary



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

how to get "unicode attack detected" alerts? Gary Merrick (Feb 07)