[Snort-users] Re: http_preprocessor oddity with recent CVS snapshot

Ralf Hildebrandt Ralf.Hildebrandt at ...821...
Fri Mar 30 03:38:48 EST 2001


Ok, I can confirm this now:

a) If I DEACTIVATE http_decode, I get lots of "spp_http_decode unicode
   attack detected" warnings anyway.
   
b) If I ACTIVATE http_decode and use -unicode, I don't get the unicode
   warnings anymore, but now I get:

Mar 30 10:07:46 john snort[19596]: spp_http_decode: CGI Null byte attack detected : 195.243.106.23:62116 -> 64.4.20.250:80

Which is not as annoying, as it only occurs seldomly. But I'd really like to
disable the preprocessor entirely. 

-- 
ralf.hildebrandt at ...821...                            innominate AG
System Engineer                        Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX  fax: +49.(0)30.308806-698         

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010330/7cc533e1/attachment.sig>


More information about the Snort-users mailing list