[Snort-users] sadmind rule

Andrew Daviel andrew at ...523...
Wed May 9 15:48:53 EDT 2001


On Wed, 9 May 2001, Max Vision wrote:

> The NT/IIS attacks will be seen by IDS433:
>  http://whitehats.com/info/IDS433  (http-iis-unicode-traversal-optyx)

Not if the HTTP preprocessor is enabled - which for me gives
way too many "spp_http_decode: IIS Unicode attack detected " to
believe.

The IDS433 rule doesn't seem to be in the ruleset I was running (Jan 18
2001 probably) or in the "current" 1.7 snortrules.tar.gz" I just
downloaded.



-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...





More information about the Snort-users mailing list