[Snort-users] http_decode preprocessor

Joe McAlerney joey at ...155...
Thu Mar 15 12:20:15 EST 2001


According to the most recent HTTP decode preprocessor documentation
(which I believe is only in the source file spp_http_decode.c), you need
to use -cginull rather than -null.  That should quiet things down.

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+

Erik Engberg wrote:
> 
> I am currently testing this since I have trouble with enormous amounts of
> false positives on the preprocessor unicode and cgi null attacks.
> 
> I am using the latest CVS source, openbsd current, logging to mysql and this
> in the config file:
> 
> preprocessor http_decode: 80 8080 -null -unicode
> 
> although the unicode alerts are gone (got 100 000 a day or so before), the
> spp_http_decode: CGI Null Byte attack detected are still dropping in at the
> rate of 15000 a day... the -null argument does not seem to work.
> 
> Also, the preprocessors are engaged before pass rules by design, wouldn´t it
> be more convenient having pass rules before preprocessors to filter out
> false positives? I guess that would mean a performance hit though...
> 
> best regards,
> Erik Engberg
> 
> >-----Original Message-----
> >From: Martin Roesch [mailto:roesch at ...421...]
> >Sent: den 12 mars 2001 08:04
> >To: Alexandre Florio
> >Cc: snort-users at lists.sourceforge.net
> >Subject: Re: [Snort-users] http_decode preprocessor
> >
> >
> >Check out the latest version of Snort from
> >http://snort.sourceforge.net/snort-daily.tar.gz and try out the new
> >unidecode preprocessor while disabling UNICODE and NULL attack
> >detection
> >in http_decode using the -unicode and -null arguments to the
> >http_decode
> >preprocessor...
> >
> >   -Marty
> >
> >Alexandre Florio wrote:
> >>
> >>         How can I set up what I want to http_decode
> >preprocessor to log?
> >>         I'm running snort fine, but I'm getting too much
> >output about things that
> >> I know that aren't attacks...
> >>
> >>         For instance:
> >>
> >> -- Mar  7 08:44:15 firewall snort[26748]: spp_http_decode:
> >CGI Null Byte attack detected: <host_on_MY_network>:1807 ->
> ><outside_host>:80
> >>
> >> TIA
> >>
> >> Alexandre Florio
> >>
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> >--
> >Martin Roesch
> >roesch at ...421...
> >http://www.snort.org
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list