[Snort-users] Where to configure/change rules for this one?

Ed Greshko Edward.M.Greshko at ...1974...
Thu May 3 13:01:09 EDT 2001


Hi,

I'm seeing may of the following in logs:

# more TCP:1171-80
[**] spp_http_decode: IIS Unicode attack detected [**]
05/03-23:12:18.641497 129.179.xx.xx:1171 -> 202.85.139.157:80
TCP TTL:127 TOS:0x0 ID:2039 IpLen:20 DgmLen:484 DF
***AP*** Seq: 0x6D4A2C44  Ack: 0x34EF9A9F  Win: 0x2238  TcpLen: 20

As far as I can tell this is normal surfing by someone running Win2K English
version connecting to a site here in Taiwan and reading Chinese site in Hong
Kong.

The messages don't appear to be coming from the included rules.

Thanks,
Ed






More information about the Snort-users mailing list