[Snort-users] Where to configure/change rules for this one?

Neil Dickey neil at ...1633...
Thu May 3 18:05:55 EDT 2001


"Ed Greshko" <Edward.M.Greshko at ...1974...> wrote:

>>   preprocessor http_decode: 80 8080 -unicode
>
>Thanks....  I'll be having my eyes examined in the morning....

Don't feel bad.  I fell into that particular hole myself!  That's
how I happened to learn the remedy ....   ;-)

>I do wonder, however, if the code could be modified to be more tolerant to
>avoid false positives.

That I don't know.  Not all unicode packets represent attacks, obviously,
but I'm not sophisticated enough in these matters ( yet! ) to know what
to do about the false positives.  One would doubtless have to get into the
source code for the preprocessor and tweak it in order to improve things,
but that may not be as straightforward as it might sound.

A question for the list:  Does anyone have an estimate for what percentage
of installations have the unicode alert turned off?  If the percentage is
large, that might suggest an overhaul.

Just a thought -- and not evidence of ingratitude for what really is a fine
software package.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list