[Snort-users] IIS Unicode attack detected
Andrew R. Baker
andrewb at ...1150...
Sat Mar 17 20:48:59 EST 2001
And in 1.7.1 (which is still in beta). You can hace the http_decode
ignore certain hosts. (Eventually this will be even finer grained and
prevent unicode alerting for particular hosts, but leave it on for
Joe McAlerney wrote:
> To completely ignore unicode attacks, you should add -unicode to the
> preprocessor's command line. This will still allow the preprocessor to
> perform chararacter conversions and cgi null attack checks.
> -Joe M.
> +-- --+
> | Joe McAlerney, Silicon Defense |
> | http://www.silicondefense.com/ |
> +-- --+
> Habu Takuya wrote:
> > Hello,
> > I think what generates this alert is not a rule, but
> > "HTTP decode Preprocessor".
> > If you use snort.conf file, probably you can see the following line
> > in the middle (around line 116):
> > preprocessor http_decode 80 8080
> > comment out this line.
> > > I'm new at snorg. I've installed the current release to control our
> > Internet
> > > traffic. I also installed the latest rulebase. Most of the alerts snort
> > > generates are "spp_http_decode: IIS Unicode attack detected" alerts. Those
> > > alerts occur often if some employes do a web connection to an internet
> > site.
> > > I want to turn off this alert but didn't find the rule which generates
> > this
> > > alert. Does anybody know where I can turn off this rule?
> > >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
More information about the Snort-users