[Snort-users] Snort logs web browsing
kmx at ...1644...
Mon Apr 16 01:59:30 EDT 2001
You can also get the newest snort and use http_decode_ignore and specify
IP's/ranges just like the port scan ignore preprocessor.
"shawn . moyer" wrote:
> Basically the http decode preprocessor is catching unicode characters
> and alerting you to this traffic. For the most part, if it's outbound,
> verify that it's valid traffic and you can safely ignore. I've always
> thought that this text should be rewritten as something like "Unicode
> traffic detected", since it's more often than not a false positive.
> The reason you get it even with HOME_NET defined is that the http decode
> preprocessor is called before the actual ruleset, so none of the
> variables you set really apply.
> In short, investigate, verify, and treat it as informational most of the
> time. If you don't have any webservers on your net that are vulnerable
> to unicode stuff you can probably safely prioritize this one pretty low.
> Phil wrote:
> > I've got snort working (apparently you need to have -i
> > elxl0 on the command line in order for $elxl0_ADDRESS
> > to work in the config file).
> > So anyway, it's running now, but it seems to be
> > logging ONE outbound web traffic (where X.X.X.X is my
> > external IP):
> > [**] spp_http_decode: IIS Unicode attack detected [**]
> > 04/15-18:08:02.069333 X.X.X.X:1532 ->
> > 220.127.116.11:80
> > TCP TTL:127 TOS:0x0 ID:50983 IpLen:20 DgmLen:1024 DF
> > ***AP*** Seq: 0x8E5AC4 Ack: 0x8EC2A0F0 Win: 0x2238
> > TcpLen: 20
> > And that IP's nslookup:
> > Name: vwww-rl.netscape.com
> > Address: 18.104.22.168
> > Shows netscape.com which I didn't visit today.
> > Regardless, it's an outgoing connection and I don't
> > quite get it. Here's more relevant info:
> > Solaris 2.6 x86
> > Snort 1.7
> > Updated ruleset today
> > var HOME_NET $elxl0_ADDRESS
> > var EXTERNAL_NET !$HOME_NET
> > command used to start snort:
> > /usr/local/bin/snort -A fast -s -i elxl0 -l
> > /var/log/snortlogs -c /etc/snort/snort.conf -D
> > Any help would be much appreciated.
> > Phil
> > __________________________________________________
> > Do You Yahoo!?
> > Get email at your own domain with Yahoo! Mail.
> > http://personal.mail.yahoo.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> s h a w n m o y e r
> shawn at ...1184...
> "Nuclear war would really set back cable."
> -- Ted Turner
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users