[Snort-users] IIS Unicode Attack-Code

Olaf Gellert gellert at ...2156...
Fri Jun 1 07:01:13 EDT 2001


I have many false positives on the "IIS Unicode attack".
Looking into spp_http_decode.c I find that the module
matches %FC in the URL. Is this necessary? I know of
%C0, %C1 and %C9 (backslash, slash etc). But %FC is
the german characte u_umlaut, which is very common
in german URLs (especially those for search engines).

Just a question. Didn't find anythign on whitehats.com.
Thanx for any explanation.

Olaf Gellert                           mailto:gellert at ...2156...
DFN-PCA:                    Eine Arbeitsgruppe der DFN-CERT GmbH
Oberstr. 14b                              http://www.pca.dfn.de/
D-20144 Hamburg, Germany           +49.40.808077-555 / Fax: -556

More information about the Snort-users mailing list