[Snort-users] CGI Null Byte Attack

Joe Stewart jstewart at ...262...
Mon Nov 20 20:25:31 EST 2000

On Mon, 20 Nov 2000, you wrote:
> I saw this in ACID under unique alerts, and am having a bit of trouble
> tracking down info about it.
> spp_http_decode: CGI Null Byte attack detected 30 (2%) 1 1 1
> What I am looking for is a way to verify whether this is of concern,
> or if not what might be triggering it.  Thanks in advance for any
> pointers.

It's (newly) part of the http preprocessor. Basically, if the http decoding 
routine finds a %00 in an http request, it will alert with this message. 
Sometimes you may see false positives with sites that use cookies with
urlencoded binary data, or if you're scanning port 443 and picking up 
SSLencrypted  traffic . If you're logging alerted packets you can  check the 
actual string that caused the alert.  Also, the unicode alert is subject to 
the same false positives with cookies and SSL. Having the packet dumps is the 
only way to tell for sure if you have a real attack on your hands, but this 
is true for any content-based alert.


Joe Stewart
Information Security Analyst 
LURHQ Corporation
jstewart at ...262...

More information about the Snort-users mailing list