[Snort-users] Unicode hack detection revisited

Doug White dwhite at ...1486...
Mon Mar 5 16:44:30 EST 2001

/me kicks SourceForge; they aren't archiving lists in 2001.


I'm wondering if there's been any progress on tightening the IIS Unicode
hack detection in http_decode.  I just got hit with a false positive when
someone logged into Netscape Mail and it finds the evil characters in the
cookie.  I'd prefer to use a standard alert rule instead of the
http_decode heuristic so I can regulate it to inbound nastiness only.

Thanks for any info!

Doug White                    |  FreeBSD: The Power to Serve
dwhite at ...1486...     |  www.FreeBSD.org

More information about the Snort-users mailing list