Re: your mail

[gary douglas <GM-Douglas () wiu edu>]

I also get a ton of these. I suppress them with the following. I have  
it in a threshold.conf file that is referenced in the bottom of the  
snort.conf

# stop (http_inspect) double decoding attack alerts.
suppress gen_id 119, sig_id 2

I wish there was a central location to get the gen_id of the all the  
different processes. So far I have found the following.

portscan = 122
http_inspect = 119
spp_frag3 = 123

Thank you
Gary Douglas


On Oct 18, 2006, at 10:22 AM, Phil Wood wrote:

> Could it be that your users are attacking websites?
>
> On Wed, Oct 18, 2006 at 03:19:51PM +0000, Julien VARLET wrote:
> > I have these problems when my users browse websites, so I cannot  
> > tunned it.
> >
> > -------- Original Message --------
> > Subject: Re: [Snort-users] DOUBLE DECODING ATTACK (13-oct.-2006  
> > 12:46)
> > From:    Joel Esler <joel.esler () sourcefire com>
> > To:      jvarlet () aressi fr
> >
> > > Have you tuned your http_inspect_server lines to accurately reflect
> > > your http servers?
> > >
> > > J
> > >
> > >
> > > On Oct 13, 2006, at 6:12 AM, Julien VARLET wrote:
> > >
> > > > Hi,
> > > >
> > > > I get a lot of DOUBLE DECODING ATTACK when http preprocessor is
> > > > active, but it is only false positives... I do not want to
> > > > desactivate http preprocessor. How can I do ?
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > To: snort.user () gmail com
> > > >     snort-users () lists sourceforge net
> > > >     snort-devel () lists sourceforge net
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------------------- 
> > > > ---
> > > > ---
> > > > Using Tomcat but need to do more? Need to support web services,
> > > > security?
> > > > Get stuff done quickly with pre-integrated technology to make your
> > > > job easier
> > > > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> > > > Geronimo
> > > > http://sel.as-us.falkag.net/sel?
> > > > cmd=lnk&kid=120709&bid=263057&dat=121642
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > +------------------------------------------------------------------- 
> > > --+
> > > joel esler          senior security consultant          
> > > 1-706-627-2101
> > > Sourcefire    Security for the /Real/ World -- http:// 
> > > www.sourcefire.com
> > >         Snort - Open Source Network IPS/IDS -- http://www.snort.org
> > >           gpg key: http://demo.sourcefire.com/jesler.pgp.key
> > >             aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
> > > +------------------------------------------------------------------- 
> > > --+
> > >
> > >
> > >
> > > -------------------------------------------------------------------- 
> > > -----
> > > Using Tomcat but need to do more? Need to support web services,  
> > > security?
> > > Get stuff done quickly with pre-integrated technology to make  
> > > your job
> > > easier
> > > Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> > > Geronimo
> > > http://sel.as-us.falkag.net/sel? 
> > > cmd=lnk&kid=120709&bid=263057&dat=121642
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Phil Wood (cpw_at-sign_lanl.gov)
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users