[Snort-users] spp_http_decode: CGI Null Byte attack detected
roesch at ...421...
Wed Apr 18 22:44:29 EDT 2001
Yes. Don't deactivate the preprocessor, use the -cginull switch in the
preprocessor directive in the conf file.
preprocessor http_decode: 80 -cginull
> "Oxenreider, Jeff" wrote:
> Doesn't the -cginull flag on the http_decode preproc turn off the
> cginull detect, like the -unicode turns off unicode detects?
> Jeffrey A. Oxenreider
> Senior Network/Security Engineer
> Safelite Glass Corp
> -----Original Message-----
> From: roman at ...438... [mailto:roman at ...438...]
> Sent: Tuesday, April 17, 2001 11:45 AM
> To: Chad Gough; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] spp_http_decode: CGI Null Byte attack
> This alert is not triggered by a rule, but with the http_decode
> pre-processor. If you do not want to see this message, you
> must disable this pre-processor in your configuration file.
> > How do you stop the logging of:
> > spp_http_decode: CGI Null Byte attack detected
> > I don't see a rule for this. Is it part of a compile option?
> > Thanks,
> > Chad
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> This message was sent using Voicenet WebMail.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users