[Snort-devel] spp_unidecode false alert reduction
Sandro.Poppi at ...1204...
Tue May 28 01:13:02 EDT 2002
I would like to discuss some changes in spp_unidecode to reduce false
I very often get "spp_unidecode: Invalid Unicode String detected" alerts
which are 99% false positives because of the use of single unicode encoded
characters of german umlaut (e.g. %E0) in search engine requests or such.
Also other languages have their special characters. These characters are in
the ext. ASCII range of 192 - 223 (dec).
spp_unidecode follows strictly the UTF-8 standard so a request like GET
/scripts/h%DFgar.cgi generates such an alert.
What about adding a snort.conf option like allow-8bit-ascii to get rid of
I know this is not a recommended way but since various implementations of
applications make use of such "bad" characters and I would say this is a
better solution than disabling unidecode completely.
I would greatly appreciate any comments?
More information about the Snort-devel