[Snort-users] http_decode preprocessor
joey at ...155...
Thu Mar 15 12:20:15 EST 2001
According to the most recent HTTP decode preprocessor documentation
(which I believe is only in the source file spp_http_decode.c), you need
to use -cginull rather than -null. That should quiet things down.
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
Erik Engberg wrote:
> I am currently testing this since I have trouble with enormous amounts of
> false positives on the preprocessor unicode and cgi null attacks.
> I am using the latest CVS source, openbsd current, logging to mysql and this
> in the config file:
> preprocessor http_decode: 80 8080 -null -unicode
> although the unicode alerts are gone (got 100 000 a day or so before), the
> spp_http_decode: CGI Null Byte attack detected are still dropping in at the
> rate of 15000 a day... the -null argument does not seem to work.
> Also, the preprocessors are engaged before pass rules by design, wouldn´t it
> be more convenient having pass rules before preprocessors to filter out
> false positives? I guess that would mean a performance hit though...
> best regards,
> Erik Engberg
> >-----Original Message-----
> >From: Martin Roesch [mailto:roesch at ...421...]
> >Sent: den 12 mars 2001 08:04
> >To: Alexandre Florio
> >Cc: snort-users at lists.sourceforge.net
> >Subject: Re: [Snort-users] http_decode preprocessor
> >Check out the latest version of Snort from
> >http://snort.sourceforge.net/snort-daily.tar.gz and try out the new
> >unidecode preprocessor while disabling UNICODE and NULL attack
> >in http_decode using the -unicode and -null arguments to the
> > -Marty
> >Alexandre Florio wrote:
> >> How can I set up what I want to http_decode
> >preprocessor to log?
> >> I'm running snort fine, but I'm getting too much
> >output about things that
> >> I know that aren't attacks...
> >> For instance:
> >> -- Mar 7 08:44:15 firewall snort: spp_http_decode:
> >CGI Null Byte attack detected: <host_on_MY_network>:1807 ->
> >> TIA
> >> Alexandre Florio
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> http://lists.sourceforge.net/lists/listinfo/snort-users
> >Martin Roesch
> >roesch at ...421...
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
More information about the Snort-users