[Snort-users] IIS Unicode attack detected

Joe McAlerney joey at ...155...
Wed Mar 14 20:32:21 EST 2001


To completely ignore unicode attacks, you should add -unicode to the
preprocessor's command line.  This will still allow the preprocessor to
perform chararacter conversions and cgi null attack checks.

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+

Habu Takuya wrote:
> 
> Hello,
> I think what generates this alert is not a rule, but
> "HTTP decode Preprocessor".
> 
> If you use snort.conf file, probably you can see the following line
> in the middle (around line 116):
> preprocessor http_decode 80 8080
> 
> comment out this line.
> 
> > I'm new at snorg. I've installed the current release to control our
> Internet
> > traffic. I also installed the latest rulebase. Most of the alerts snort
> > generates are "spp_http_decode: IIS Unicode attack detected" alerts. Those
> > alerts occur often if some employes do a web connection to an internet
> site.
> > I want to turn off this alert but didn't find the rule which generates
> this
> > alert. Does anybody know where I can turn off this rule?
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list