[Snort-users] IIS Unicode check on port 443

Adams, Gavin gadams at ...1086...
Fri Jan 5 13:25:30 EST 2001


Greetings all,

Having a wonderful time with snort. 1.6.3 is working wonderfully (Redhat
RPM), and the features in 1.7beta8 are nice too-especially the Unicode
additions. Are the IIS Unicode hits I'm getting on SSL connections (port
443) false positives? I would assume so since snort is only seeing
encrypted traffic. The http_decode preprocessor entry has the default
ports of 80, 443, and 8080 included. My question is, what can the
spp_http_decode code look for within an HTTPS/SSL connection?

For the time being I've removed port 443 for the preprocessor line.

Here's an example event:

TCP:4303-443
::::::::::::::
[**] spp_http_decode: IIS Unicode attack detected [**]
01/04-20:39:54.456746 0:1:2:78:C6:7F -> 0:A0:8E:9:1B:28 type:0x800
len:0x1D9
172.xxx.1.165:4303 -> 206.xxx.185.48:443 TCP TTL:128 TOS:0x0 ID:44978
IpLen:20 Dgm
Len:459 DF

Cheers,

--- Gavin





More information about the Snort-users mailing list