[Snort-users] spp_http_decode: CGI Null Byte attack detected

Martin Roesch roesch at ...421...
Wed Apr 18 22:44:29 EDT 2001


Yes.  Don't deactivate the preprocessor, use the -cginull switch in the
preprocessor directive in the conf file.

preprocessor http_decode: 80 -cginull

   -Marty

> "Oxenreider, Jeff" wrote:
> 
> Doesn't the -cginull flag on the http_decode preproc turn off the
> cginull detect, like the -unicode turns off unicode detects?
> 
> Jeffrey A. Oxenreider
> Senior Network/Security Engineer
> Safelite Glass Corp
> 
> -----Original Message-----
> From: roman at ...438... [mailto:roman at ...438...]
> Sent: Tuesday, April 17, 2001 11:45 AM
> To: Chad Gough; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] spp_http_decode: CGI Null Byte attack
> detected
> 
> This alert is not triggered by a rule, but with the http_decode
> pre-processor.  If you do not want to see this message, you
> must disable this pre-processor in your configuration file.
> 
> cheers,
> Roman
> 
> > How do you stop the logging of:
> >
> > spp_http_decode: CGI Null Byte attack detected
> >
> > I don't see a rule for this.  Is it part of a compile option?
> >
> > Thanks,
> > Chad
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list