[Snort-users] Re: http_preprocessor oddity with recent CVS snapshot
jean-baptiste.lallement at ...1699...
Fri Mar 30 11:01:47 EST 2001
At 30/03/2001 10:38, Ralf Hildebrandt wrote:
>Ok, I can confirm this now:
>a) If I DEACTIVATE http_decode, I get lots of "spp_http_decode unicode
> attack detected" warnings anyway.
>b) If I ACTIVATE http_decode and use -unicode, I don't get the unicode
> warnings anymore, but now I get:
>Mar 30 10:07:46 john snort: spp_http_decode: CGI Null byte attack
>detected : 220.127.116.11:62116 -> 18.104.22.168:80
did you tried to use -cginull option too ?
>Which is not as annoying, as it only occurs seldomly. But I'd really like to
>disable the preprocessor entirely.
>ralf.hildebrandt at ...821... innominate AG
>System Engineer Don't be afraid of what you see -
>Diplom-Informatiker be afraid of what you don't see!
>tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-698
ZENI CORPORATION http://zeni.fr
Tél : 0.803.003.111 Fax : 03.44.57.35.55
More information about the Snort-users