[Snort-users] Unicode hack detection revisited

Martin Roesch roesch at ...421...
Tue Mar 6 08:23:28 EST 2001

Be sure to check out the new spp_unidecode preprocessor that's in the
latest CVS as well, you may want to turn off regular UNICODE detection
in http_decode and use the new module.


Doug White wrote:
> /me kicks SourceForge; they aren't archiving lists in 2001.
> Hello,
> I'm wondering if there's been any progress on tightening the IIS Unicode
> hack detection in http_decode.  I just got hit with a false positive when
> someone logged into Netscape Mail and it finds the evil characters in the
> cookie.  I'd prefer to use a standard alert rule instead of the
> http_decode heuristic so I can regulate it to inbound nastiness only.
> Thanks for any info!
> Doug White                    |  FreeBSD: The Power to Serve
> dwhite at ...1486...     |  www.FreeBSD.org
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list