[Snort-users] http_decode alerts bypassing "pass" rules

Neil Dickey neil at ...1633...
Wed May 9 13:00:07 EDT 2001


Pete Philips <pete at ...639...> wrote asking:

[ ... Snip, "pass" rules ... ]

>This works fine and no alerts are generated by these hosts
>except when it is generated by http_decode such as:
>
>May  9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected:
>10.1.1.31:1312 -> 192.168.1.1:80
>
>Is there a way to also silence these alerts for particular hosts?

So far as I know there isn't.  One can only turn off the unicode alerts
or turn them on.  It isn't possible to control the preprocessor with
respect to specific hosts.

Use the "-unicode" switch on the http_decode preprocessor line in the
configuration file to turn them off.  Remember to reset Snort to get it
to respond to your changes.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list