Snort mailing list archives
how to get "unicode attack detected" alerts?
From: "Gary Merrick" <gary.merrick () earthlink net>
Date: Fri, 7 Feb 2003 09:24:01 -0800
Snort 1.9.0 doesn't trigger alerts when unicode attacks occur. My Apache web logs show the Code Red or Nimda worms are connecting, and the web.iis rules is enabled. Other alerts are coming through, so there is at least some level of proper configuration. Here's my http_decode statement in the conf file: preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace So what would be keeping the unicode attack detected alerts from coming through? Is everybody else out there getting them under Snort 1.9.0? Any pointers would be very much appreciated. Thanks in advance, Gary ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to get "unicode attack detected" alerts? Gary Merrick (Feb 07)