[Snort-users] spp_unicode exploits

John Sage jsage at ...2022...
Mon Nov 26 06:29:05 EST 2001


Tom:

I believe that is handled in snort.conf:

# unidecode: normalize HTTP/detect UNICODE attacks
# ------------------------------------------------
# Works much the same as http_decode, but does a better
# job of categorizing and identifying UNICODE attacks,
# recommended as a potential replacement for http_decode.

preprocessor unidecode: 80 -unicode -cginull

#


..and not by any specific rule.


This is similar to the stream4 preprocessor, which people see but often 
can't quickly figure out why:

# memcap [number] - limit stream4 memory usage to [number] bytes 
preprocessor

stream4: detect_scans, detect_state_problems

#



HTH..

- John


Tom Fischer wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> snort detects several outgoing unicode exploits (all false positives) but i 
> didn't define it in any rule. I'm using demarc for monitoring. grepping thru 
> the ruleset and the sources result in nothing. 
> 
> Where can i find it?
> 
> Thx
> 
> Tom
> - -- 
> Tom Fischer			ABH Marketingservice GmbH
> System Administrator		Weisshaustraße 23a
> Tel: 0221-94400446		50939 Köln	
> http://www.abh.de
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iEYEARECAAYFAjwCOZQACgkQwafQrcfco8HB3QCgkzX1rTnOkTKNgyuDIYuRwgAa
> TkgAnRbvLHJp6ncWys3GxnmKFVMI1XdS
> =lzFc
> -----END PGP SIGNATURE-----








More information about the Snort-users mailing list