Snort mailing list archives
RE: DOUBLE DECODING ATTACK
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Thu, 18 Aug 2005 15:21:01 -0400
You use threshold.conf to disable these preprocessor alerts. suppress gen_id 119, sig_id 2 # disable http_inspect: DOUBLE DECODING ATTACK alerts Make sure that threshold.conf is enabled in your snort.conf. Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of hans Sent: Thursday, August 18, 2005 1:04 PM To: snort-users () lists sourceforge net Subject: [Snort-users] DOUBLE DECODING ATTACK hi snorters i run snort 2.3.2 on solaris 9 in the logs i see a lot of entries with text: DOUBLE DECODING ATTACK nearly all of the entries are generated by the source ip-adress of my proxy. so i assume, i didn't setup snort correctly. in snort.conf i did define variable HOME_NET and also var EXTERNAL_NET !$HOME_NET HOME_NET is defined as super-net of 8 c-class ( /21 ) where proxy-ip is included. i start snort with option -h and my network. or is there a way to disable this rule ? best regards hans -- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOUBLE DECODING ATTACK hans (Aug 18)
- <Possible follow-ups>
- RE: DOUBLE DECODING ATTACK Briggs, Bruce (Aug 18)
- Re: DOUBLE DECODING ATTACK hans (Aug 22)