[Snort-users] spp_http_decode: CGI Null Byte attack detected

Dan Fiorito danf at ...1406...
Tue May 29 16:13:54 EDT 2001


http://www.snort.org/FAQ.html

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte
   attack detected" false positives.  How can I turn this detection off?

A: These messages are produced by the http_decode preprocessor.  If you wish
   to turn these checks off, add -unicode or -cginull to your http_decode
   preprocessor line respectively.

	preprocessor http_decode: 80 8080 -unicode -cginull




-----Original Message-----
From: John Johnson [mailto:john at ...599...]
Sent: Tuesday, May 29, 2001 3:29 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] spp_http_decode: CGI Null Byte attack detected


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 with snort 1.7 I am getting lot's of alerts for CGI Null Byte
 attacks and well there are not any! I can't locate this  
rule and was wondering if there was a way to deal with it.

- -John

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBOxP4gQfP+qzR55XlEQLpZACeJGNfR8FpeVMTx9eTaASaRfVoUNMAnjQL
w7qjCjc8h57viAHjwHLeh6Ta
=fgJy
-----END PGP SIGNATURE-----




_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list