[Snort-users] Re: http_preprocessor oddity with recent CVS snapshot

JB Lallement jean-baptiste.lallement at ...1699...
Fri Mar 30 11:01:47 EST 2001


At 30/03/2001 10:38, Ralf Hildebrandt wrote:
>Ok, I can confirm this now:
>
>a) If I DEACTIVATE http_decode, I get lots of "spp_http_decode unicode
>    attack detected" warnings anyway.
>
>b) If I ACTIVATE http_decode and use -unicode, I don't get the unicode
>    warnings anymore, but now I get:
>
>Mar 30 10:07:46 john snort[19596]: spp_http_decode: CGI Null byte attack 
>detected : 195.243.106.23:62116 -> 64.4.20.250:80


Hi,

did you tried to use -cginull option too ?



>Which is not as annoying, as it only occurs seldomly. But I'd really like to
>disable the preprocessor entirely.
>
>--
>ralf.hildebrandt at ...821...                            innominate AG
>System Engineer                        Don't be afraid of what you see -
>Diplom-Informatiker                     be afraid of what you don't see!
>tel: +49.(0)7000.POSTFIX  fax: +49.(0)30.308806-698
>

|---                                  ---|
  Jean-Baptiste LALLEMENT
  ZENI CORPORATION          http://zeni.fr
  Tél : 0.803.003.111 Fax : 03.44.57.35.55
|---                                  ---|





More information about the Snort-users mailing list