[Snort-users] Re: http_preprocessor oddity with recent CVS snapshot

JB Lallement jean-baptiste.lallement at ...1699...
Fri Mar 30 11:01:47 EST 2001

At 30/03/2001 10:38, Ralf Hildebrandt wrote:
>Ok, I can confirm this now:
>a) If I DEACTIVATE http_decode, I get lots of "spp_http_decode unicode
>    attack detected" warnings anyway.
>b) If I ACTIVATE http_decode and use -unicode, I don't get the unicode
>    warnings anymore, but now I get:
>Mar 30 10:07:46 john snort[19596]: spp_http_decode: CGI Null byte attack 
>detected : ->


did you tried to use -cginull option too ?

>Which is not as annoying, as it only occurs seldomly. But I'd really like to
>disable the preprocessor entirely.
>ralf.hildebrandt at ...821...                            innominate AG
>System Engineer                        Don't be afraid of what you see -
>Diplom-Informatiker                     be afraid of what you don't see!
>tel: +49.(0)7000.POSTFIX  fax: +49.(0)30.308806-698

|---                                  ---|
  Jean-Baptiste LALLEMENT
  ZENI CORPORATION          http://zeni.fr
  Tél : 0.803.003.111 Fax :
|---                                  ---|

More information about the Snort-users mailing list