[Snort-users] IIS Unicode attack detected

Andrew R. Baker andrewb at ...1150...
Sat Mar 17 20:48:59 EST 2001


And in 1.7.1 (which is still in beta).  You can hace the http_decode
processor
ignore certain hosts.  (Eventually this will be even finer grained and
you can 
prevent unicode alerting for particular hosts, but leave it on for
everyone 
else.) 

-A

Joe McAlerney wrote:
> 
> To completely ignore unicode attacks, you should add -unicode to the
> preprocessor's command line.  This will still allow the preprocessor to
> perform chararacter conversions and cgi null attack checks.
> 
> -Joe M.
> 
> --
> +--                            --+
> | Joe McAlerney, Silicon Defense |
> | http://www.silicondefense.com/ |
> +--                            --+
> 
> Habu Takuya wrote:
> >
> > Hello,
> > I think what generates this alert is not a rule, but
> > "HTTP decode Preprocessor".
> >
> > If you use snort.conf file, probably you can see the following line
> > in the middle (around line 116):
> > preprocessor http_decode 80 8080
> >
> > comment out this line.
> >
> > > I'm new at snorg. I've installed the current release to control our
> > Internet
> > > traffic. I also installed the latest rulebase. Most of the alerts snort
> > > generates are "spp_http_decode: IIS Unicode attack detected" alerts. Those
> > > alerts occur often if some employes do a web connection to an internet
> > site.
> > > I want to turn off this alert but didn't find the rule which generates
> > this
> > > alert. Does anybody know where I can turn off this rule?
> > >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list