[Snort-users] IIS Unicode attack detected

Joseph Nicholas Yarbrough nyarbrough at ...262...
Wed Mar 14 09:26:27 EST 2001

On Wednesday 14 March 2001 05:42, Habu Takuya wrote:
> Hello,
> I think what generates this alert is not a rule, but
> "HTTP decode Preprocessor".
> If you use snort.conf file, probably you can see the following line
> in the middle (around line 116):
> preprocessor http_decode 80 8080
> comment out this line.
> > I'm new at snorg. I've installed the current release to control our
> Internet
> > traffic. I also installed the latest rulebase. Most of the alerts snort
> > generates are "spp_http_decode: IIS Unicode attack detected" alerts.
> > Those alerts occur often if some employes do a web connection to an
> > internet
> site.
> > I want to turn off this alert but didn't find the rule which generates
> this
> > alert. Does anybody know where I can turn off this rule?

Watch out if your doing this. You will loose http decoding, possibly making 
you open to attacks. I've seen the most false positives when running 
http_decode on port 443 (used-to/perhaps-still be/is the default). Being as 
snort can't (currently) decode ssl traffic, it's probably safe to disable 
port 443.

Note: False positives are a neccisary evil, and if you remove every rule that 
gives you false positives, you are lowering the probability that snort will 
catch real attacks.

Also, have you verified that this isn't a real attack?


Joseph Nicholas Yarbrough
Information Security Analyst
LURHQ Corporation
843-903-4ESM (4376) ext. 312
nyarbrough at ...262...
"Information Security Specialists"

More information about the Snort-users mailing list