[Snort-users] http_decode preprocessor

Martin Roesch roesch at ...421...
Fri Mar 16 23:26:48 EST 2001


I just committed a patch that'll verify that the values handed to the
http_decode preprocessor are valid...

    -Marty



Joe McAlerney wrote:
> 
> According to the most recent HTTP decode preprocessor documentation
> (which I believe is only in the source file spp_http_decode.c), you need
> to use -cginull rather than -null.  That should quiet things down.
> 
> -Joe M.
> 
> --
> +--                            --+
> | Joe McAlerney, Silicon Defense |
> | http://www.silicondefense.com/ |
> +--                            --+
> 
> Erik Engberg wrote:
> >
> > I am currently testing this since I have trouble with enormous amounts of
> > false positives on the preprocessor unicode and cgi null attacks.
> >
> > I am using the latest CVS source, openbsd current, logging to mysql and this
> > in the config file:
> >
> > preprocessor http_decode: 80 8080 -null -unicode
> >
> > although the unicode alerts are gone (got 100 000 a day or so before), the
> > spp_http_decode: CGI Null Byte attack detected are still dropping in at the
> > rate of 15000 a day... the -null argument does not seem to work.
> >
> > Also, the preprocessors are engaged before pass rules by design, wouldn´t it
> > be more convenient having pass rules before preprocessors to filter out
> > false positives? I guess that would mean a performance hit though...
> >
> > best regards,
> > Erik Engberg
> >
> > >-----Original Message-----
> > >From: Martin Roesch [mailto:roesch at ...421...]
> > >Sent: den 12 mars 2001 08:04
> > >To: Alexandre Florio
> > >Cc: snort-users at lists.sourceforge.net
> > >Subject: Re: [Snort-users] http_decode preprocessor
> > >
> > >
> > >Check out the latest version of Snort from
> > >http://snort.sourceforge.net/snort-daily.tar.gz and try out the new
> > >unidecode preprocessor while disabling UNICODE and NULL attack
> > >detection
> > >in http_decode using the -unicode and -null arguments to the
> > >http_decode
> > >preprocessor...
> > >
> > >   -Marty
> > >
> > >Alexandre Florio wrote:
> > >>
> > >>         How can I set up what I want to http_decode
> > >preprocessor to log?
> > >>         I'm running snort fine, but I'm getting too much
> > >output about things that
> > >> I know that aren't attacks...
> > >>
> > >>         For instance:
> > >>
> > >> -- Mar  7 08:44:15 firewall snort[26748]: spp_http_decode:
> > >CGI Null Byte attack detected: <host_on_MY_network>:1807 ->
> > ><outside_host>:80
> > >>
> > >> TIA
> > >>
> > >> Alexandre Florio
> > >>
> > >> _______________________________________________
> > >> Snort-users mailing list
> > >> Snort-users at lists.sourceforge.net
> > >> Go to this URL to change user options or unsubscribe:
> > >> http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> > >--
> > >Martin Roesch
> > >roesch at ...421...
> > >http://www.snort.org
> > >
> > >_______________________________________________
> > >Snort-users mailing list
> > >Snort-users at lists.sourceforge.net
> > >Go to this URL to change user options or unsubscribe:
> > >http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list