[Snort-devel] spp_unidecode false alert reduction

Poppi, Sandro Sandro.Poppi at ...1204...
Tue May 28 01:13:02 EDT 2002


Hi there,

I would like to discuss some changes in spp_unidecode to reduce false
positives.

The story:

I very often get "spp_unidecode: Invalid Unicode String detected" alerts
which are 99% false positives because of the use of single unicode encoded
characters of german umlaut (e.g. %E0) in search engine requests or such.
Also other languages have their special characters. These characters are in
the ext. ASCII range of 192 - 223 (dec).

spp_unidecode follows strictly the UTF-8 standard so a request like GET
/scripts/h%DFgar.cgi generates such an alert.

What about adding a snort.conf option like allow-8bit-ascii to get rid of
those alerts?

I know this is not a recommended way but since various implementations of
applications make use of such "bad" characters and I would say this is a
better solution than disabling unidecode completely.

I would greatly appreciate any comments?

TIA,
Sandro




More information about the Snort-devel mailing list