[Snort-users] http_decode preprocessor

Brian Caswell bmc at ...312...
Thu Mar 15 11:48:05 EST 2001


Erik Engberg wrote:
> 
> I am currently testing this since I have trouble with enormous amounts of
> false positives on the preprocessor unicode and cgi null attacks.
> 
> I am using the latest CVS source, openbsd current, logging to mysql and this
> in the config file:
> 
> preprocessor http_decode: 80 8080 -null -unicode
> 
> although the unicode alerts are gone (got 100 000 a day or so before), the
> spp_http_decode: CGI Null Byte attack detected are still dropping in at the
> rate of 15000 a day... the -null argument does not seem to work.
> 
> Also, the preprocessors are engaged before pass rules by design, wouldn´t it
> be more convenient having pass rules before preprocessors to filter out
> false positives? I guess that would mean a performance hit though...

Why not filter them out with BPF filters?

snort <yourargshere> ((not host yourhost) and (not port 80))

For most shells, you will have to \ out the (.  Ether add it on the
command line, or use -F

-brian




More information about the Snort-users mailing list