[Snort-users] Http Preprocessor Question

Martin Roesch roesch at ...421...
Tue Nov 28 18:23:31 EST 2000


Erickson Brent W KPWA wrote:
> 
> Hello fellow Snorters,
> 
> I saw from the Whitehats site that the signatures for Microsoft IIS will not
> detect activity if the HTTP preprocessor is loaded.
> 
> What are the drawbacks/advantages of disabling the HTTP preprocessor ??

You won't be able to detect encoded URI's.

If you're so inclined, you can download the latest version of it from the CVS
server and it should drop right in to the 1.6.3-patch2 code cleanly.  The
latest version detects both NULL byte and UNICODE attacks automatically.

     -Marty

> 
> Thank you for your help.
> 
> Brent Erickson
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list