AW: [Snort-devel] spp_unidecode false alert reduction

Poppi, Sandro Sandro.Poppi at ...1204...
Tue May 28 07:42:06 EDT 2002


Hi Chris,

thanks for your answer.

If I understood you right I have 2 choices:

Either use snort 1.9.x and http_decode or stay at 1.8.x and live with those
alerts of unidecode, since according to the comments in your shipped
snort.conf unidecode's use is recommended instead of http_decode in 1.8.x.

So long,
Sandro
> 
> > Hi there,
> >
> > I would like to discuss some changes in spp_unidecode to 
> reduce false
> > positives.
> >
> 
> unidecode is being deprecated in favor of the newer http decoder. I
> still need to document the options for it but check out the top of
> the HEAD branch's http decoder for more info :-)
> -- 
> Chris Green <cmg at ...402...>
> A good pun is its own reword.
> 




More information about the Snort-devel mailing list