Snort mailing list archives
snort_decoder
From: Angelita de Cássia Corrêa <angelita () uol com br>
Date: Mon, 18 Jul 2005 10:31:51 -0300
MessageAnd about theses alerts? (http_inspect) OVERSIZE REQUEST-URI DIRECTORY non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING attempted-recon: (http_inspect) DOUBLE DECODING ATTACK Thanks ----- Original Message ----- From: Joel Esler To: Angelita de Cássia Corrêa Cc: snort-users () lists sourceforge net Sent: Sunday, July 17, 2005 8:26 PM Subject: Re: [Snort-users] snort_decoder No, they are decoder "errors" telling you that a packet that has "tcp options" "with bad lengths" has been found and that (maybe another packet) that the tcp options have been truncated. Most people I know shut these off. You can find out to shut these off in the snort.conf or in the snort manual. joel On Jul 17, 2005, at 4:17 PM, Angelita de Cássia Corrêa wrote: Do these alerts mean false positives? (snort_decoder): Tcp Options found with bad lengths (snort_decoder): Truncated Tcp Options Thanks
Current thread:
- snort_decoder Angelita de Cássia Corrêa (Jul 17)
- Re: snort_decoder Joel Esler (Jul 17)
- Re: snort_decoder Martin Roesch (Jul 17)
- <Possible follow-ups>
- snort_decoder Angelita de Cássia Corrêa (Jul 18)
- False positive Angelita de Cássia Corrêa (Jul 18)
- Re: False positive Joel Esler (Jul 18)
- Re: False positive Angelita de Cássia Corrêa (Jul 18)
- False positive Angelita de Cássia Corrêa (Jul 18)
- Re: snort_decoder Joel Esler (Jul 17)