[Snort-users] Snort logs web browsing

shawn . moyer shawn at ...1184...
Mon Apr 16 01:44:35 EDT 2001

Basically the http decode preprocessor is catching unicode characters
and alerting you to this traffic. For the most part, if it's outbound,
verify that it's valid traffic and you can safely ignore. I've always
thought that this text should be rewritten as something like "Unicode
traffic detected", since it's more often than not a false positive.

The reason you get it even with HOME_NET defined is that the http decode
preprocessor is called before the actual ruleset, so none of the
variables you set really apply.

In short, investigate, verify, and treat it as informational most of the
time. If you don't have any webservers on your net that are vulnerable
to unicode stuff you can probably safely prioritize this one pretty low.


Phil wrote:
> I've got snort working (apparently you need to have -i
> elxl0 on the command line in order for $elxl0_ADDRESS
> to work in the config file).
> So anyway, it's running now, but it seems to be
> logging ONE outbound web traffic (where X.X.X.X is my
> external IP):
> [**] spp_http_decode: IIS Unicode attack detected [**]
> 04/15-18:08:02.069333 X.X.X.X:1532 ->
> TCP TTL:127 TOS:0x0 ID:50983 IpLen:20 DgmLen:1024 DF
> ***AP*** Seq: 0x8E5AC4  Ack: 0x8EC2A0F0  Win: 0x2238
> TcpLen: 20
> And that IP's nslookup:
> Name:    vwww-rl.netscape.com
> Address:
> Shows netscape.com which I didn't visit today.
> Regardless, it's an outgoing connection and I don't
> quite get it. Here's more relevant info:
> Solaris 2.6 x86
> Snort 1.7
> Updated ruleset today
> var HOME_NET $elxl0_ADDRESS
> command used to start snort:
> /usr/local/bin/snort -A fast -s -i elxl0 -l
> /var/log/snortlogs -c /etc/snort/snort.conf -D
> Any help would be much appreciated.
> Phil
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
                             -- Ted Turner

More information about the Snort-users mailing list