[Snort-users] Where to configure/change rules for this one?
neil at ...1633...
Thu May 3 13:22:58 EDT 2001
"Ed Greshko" <Edward.M.Greshko at ...1974...> wrote:
>[**] spp_http_decode: IIS Unicode attack detected [**]
>05/03-23:12:18.641497 129.179.xx.xx:1171 -> 126.96.36.199:80
>TCP TTL:127 TOS:0x0 ID:2039 IpLen:20 DgmLen:484 DF
>***AP*** Seq: 0x6D4A2C44 Ack: 0x34EF9A9F Win: 0x2238 TcpLen: 20
>As far as I can tell this is normal surfing by someone running Win2K English
>version connecting to a site here in Taiwan and reading Chinese site in Hong
>The messages don't appear to be coming from the included rules.
They aren't. Look for a line in your configuration file that looks like this:
preprocessor http_decode: 80 8080
Those entries are coming from the preprocessor. You need to turn off the
"unicode" capability by changing the line to look like this:
preprocessor http_decode: 80 8080 -unicode
Then reset Snort to get it to re-read the configuration files.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users