[Snort-users] http_decode vs. alerts
WilliamsJon at ...2134...
Mon Oct 1 11:59:06 EDT 2001
Now that things have started to quiet down a bit, I'm going through my logs
looking for why I wasn't seeing the kinds of alerts from Nimda that people
were reporting on the list. What I found was that I'd set up custom actions
to handle all of my signatures, but most of the Nimda traffic was being
caught by the http_decode preprocessor and being recorded to a separate file
rather than following my custom actions.
I don't really care how I get there, but I'd like to get to the point where
all my alerts go to the same place. Can I apply my custom actions to the
preprocessor? Should I just remove the http_decode lines and just accept
the fact that I'll miss Unicode-obfuscated attacks? Is there another option
that I've missed?
More information about the Snort-users