[Snort-users] Unicode hack detection revisited

Martin Roesch roesch at ...421...
Tue Mar 6 08:23:28 EST 2001


Be sure to check out the new spp_unidecode preprocessor that's in the
latest CVS as well, you may want to turn off regular UNICODE detection
in http_decode and use the new module.

    -Marty

Doug White wrote:
> 
> /me kicks SourceForge; they aren't archiving lists in 2001.
> 
> Hello,
> 
> I'm wondering if there's been any progress on tightening the IIS Unicode
> hack detection in http_decode.  I just got hit with a false positive when
> someone logged into Netscape Mail and it finds the evil characters in the
> cookie.  I'd prefer to use a standard alert rule instead of the
> http_decode heuristic so I can regulate it to inbound nastiness only.
> 
> Thanks for any info!
> 
> Doug White                    |  FreeBSD: The Power to Serve
> dwhite at ...1486...     |  www.FreeBSD.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list