[Snort-users] http_decode alerts bypassing "pass" rules
neil at ...1633...
Wed May 9 13:00:07 EDT 2001
Pete Philips <pete at ...639...> wrote asking:
[ ... Snip, "pass" rules ... ]
>This works fine and no alerts are generated by these hosts
>except when it is generated by http_decode such as:
>May 9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected:
>10.1.1.31:1312 -> 192.168.1.1:80
>Is there a way to also silence these alerts for particular hosts?
So far as I know there isn't. One can only turn off the unicode alerts
or turn them on. It isn't possible to control the preprocessor with
respect to specific hosts.
Use the "-unicode" switch on the http_decode preprocessor line in the
configuration file to turn them off. Remember to reset Snort to get it
to respond to your changes.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users