[Snort-users] http_decode preprocessor

Erik Engberg Erik.Engberg at ...511...
Thu Mar 15 12:06:07 EST 2001


Yes of course, I´ll do it with BPF... But it would be more convenient using
the same syntax as normal rules. Especially if I want to be more accurate.
Having the option to place pass rules before preprocessors would help a lot
(or am I on the wrong track here?)

Using -cginull instead of -null seems to work a lot better (I guess Marty
mistyped that info earlier). Thanx to Paul Harrington for pointing it out.

/Erik

>-----Original Message-----
>From: Brian Caswell [mailto:bmc at ...312...]
>Sent: den 15 mars 2001 17:48
>To: Erik Engberg
>Cc: 'Martin Roesch'; snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] http_decode preprocessor
>
>
>Erik Engberg wrote:
>> 
>> I am currently testing this since I have trouble with 
>enormous amounts of
>> false positives on the preprocessor unicode and cgi null attacks.
>> 
>> I am using the latest CVS source, openbsd current, logging 
>to mysql and this
>> in the config file:
>> 
>> preprocessor http_decode: 80 8080 -null -unicode
>> 
>> although the unicode alerts are gone (got 100 000 a day or 
>so before), the
>> spp_http_decode: CGI Null Byte attack detected are still 
>dropping in at the
>> rate of 15000 a day... the -null argument does not seem to work.
>> 
>> Also, the preprocessors are engaged before pass rules by 
>design, wouldn´t it
>> be more convenient having pass rules before preprocessors to 
>filter out
>> false positives? I guess that would mean a performance hit though...
>
>Why not filter them out with BPF filters?
>
>snort <yourargshere> ((not host yourhost) and (not port 80))
>
>For most shells, you will have to \ out the (.  Ether add it on the
>command line, or use -F
>
>-brian
>




More information about the Snort-users mailing list