[Snort-users] Not feeling the LOVE

McCammon, Keith Keith.McCammon at ...3497...
Mon Mar 4 11:07:20 EST 2002


Have you set the -cginull switch in your snort.conf file?  And have you
considered running http_decode instead of unidecode?  

-----Original Message-----
From: Ben Keepper [mailto:bkeepper at ...4822...]
Sent: Monday, March 04, 2002 1:56 PM
To: snort-users at lists.sourceforge.net
Cc: DEMARC-Users at ...2629...
Subject: [Snort-users] Not feeling the LOVE


I have posted several times all over webdom and have not recieved a
single reply to this question:
 
"I posted this to the snort users list. No replies. I don't think it is
a stupid question and it is not covered in the documentation. 
I am getting a lot of spp_unidecode (mostly CGI null byte attack)false
postives originating from my firewall NAT address going ONLY to specific
web sites (ingrammicro and compaq to be specific).
How can I eliminate these false positives. Obviously normal rule
modifications won't work because this is a preprocessor.
ANY help would be appreciated."
 
If everybody is ignoring because this is covered in the documentation,
please be helpful and point me to spot.
 
I can't believe I am the only having this issue.
 
Once again, any help (or thoughts would be appreciated),
 
Thanks,
 
Ben
Jz+
ꮮXX)Ȯz%lqzѨa.Ѩ
z.
m좻rzm+-.ﭭǟ
+-b벲~잊ͺ)Ȯz%Zb彽mﶟ
 z+k
^&kw+-	۬


More information about the Snort-users mailing list