[Snort-users] http_decode vs. alerts

Williams Jon WilliamsJon at ...2134...
Mon Oct 1 11:59:06 EDT 2001


Now that things have started to quiet down a bit, I'm going through my logs
looking for why I wasn't seeing the kinds of alerts from Nimda that people
were reporting on the list.  What I found was that I'd set up custom actions
to handle all of my signatures, but most of the Nimda traffic was being
caught by the http_decode preprocessor and being recorded to a separate file
rather than following my custom actions.

I don't really care how I get there, but I'd like to get to the point where
all my alerts go to the same place.  Can I apply my custom actions to the
preprocessor?  Should I just remove the http_decode lines and just accept
the fact that I'll miss Unicode-obfuscated attacks?  Is there another option
that I've missed?

Thanks.

Jon





More information about the Snort-users mailing list