[Snort-users] http_decode preprocessor
Erik.Engberg at ...511...
Thu Mar 15 10:54:49 EST 2001
I am currently testing this since I have trouble with enormous amounts of
false positives on the preprocessor unicode and cgi null attacks.
I am using the latest CVS source, openbsd current, logging to mysql and this
in the config file:
preprocessor http_decode: 80 8080 -null -unicode
although the unicode alerts are gone (got 100 000 a day or so before), the
spp_http_decode: CGI Null Byte attack detected are still dropping in at the
rate of 15000 a day... the -null argument does not seem to work.
Also, the preprocessors are engaged before pass rules by design, wouldn´t it
be more convenient having pass rules before preprocessors to filter out
false positives? I guess that would mean a performance hit though...
>From: Martin Roesch [mailto:roesch at ...421...]
>Sent: den 12 mars 2001 08:04
>To: Alexandre Florio
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] http_decode preprocessor
>Check out the latest version of Snort from
>http://snort.sourceforge.net/snort-daily.tar.gz and try out the new
>unidecode preprocessor while disabling UNICODE and NULL attack
>in http_decode using the -unicode and -null arguments to the
>Alexandre Florio wrote:
>> How can I set up what I want to http_decode
>preprocessor to log?
>> I'm running snort fine, but I'm getting too much
>output about things that
>> I know that aren't attacks...
>> For instance:
>> -- Mar 7 08:44:15 firewall snort: spp_http_decode:
>CGI Null Byte attack detected: <host_on_MY_network>:1807 ->
>> Alexandre Florio
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>roesch at ...421...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
More information about the Snort-users