[Snort-users] http_decode preprocessor

Erik Engberg Erik.Engberg at ...511...
Thu Mar 15 10:54:49 EST 2001


I am currently testing this since I have trouble with enormous amounts of
false positives on the preprocessor unicode and cgi null attacks.

I am using the latest CVS source, openbsd current, logging to mysql and this
in the config file:

preprocessor http_decode: 80 8080 -null -unicode

although the unicode alerts are gone (got 100 000 a day or so before), the 
spp_http_decode: CGI Null Byte attack detected are still dropping in at the
rate of 15000 a day... the -null argument does not seem to work.

Also, the preprocessors are engaged before pass rules by design, wouldn´t it
be more convenient having pass rules before preprocessors to filter out
false positives? I guess that would mean a performance hit though...

best regards,
Erik Engberg



>-----Original Message-----
>From: Martin Roesch [mailto:roesch at ...421...]
>Sent: den 12 mars 2001 08:04
>To: Alexandre Florio
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] http_decode preprocessor
>
>
>Check out the latest version of Snort from
>http://snort.sourceforge.net/snort-daily.tar.gz and try out the new
>unidecode preprocessor while disabling UNICODE and NULL attack 
>detection
>in http_decode using the -unicode and -null arguments to the 
>http_decode
>preprocessor...
>
>   -Marty
>
>Alexandre Florio wrote:
>> 
>>         How can I set up what I want to http_decode 
>preprocessor to log?
>>         I'm running snort fine, but I'm getting too much 
>output about things that
>> I know that aren't attacks...
>> 
>>         For instance:
>> 
>> -- Mar  7 08:44:15 firewall snort[26748]: spp_http_decode: 
>CGI Null Byte attack detected: <host_on_MY_network>:1807 -> 
><outside_host>:80
>> 
>> TIA
>> 
>> Alexandre Florio
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> http://lists.sourceforge.net/lists/listinfo/snort-users
>
>--
>Martin Roesch
>roesch at ...421...
>http://www.snort.org
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>




More information about the Snort-users mailing list