[Snort-users] Not feeling the LOVE

Matt Kettler mkettler at ...4108...
Mon Mar 4 14:13:01 EST 2002

Actually I do have Ben's original post about the topic still in my inbox, 
it was dated mid February, and is not mangled, but was mime-converted by my 
mailserver (from quoted printable, but his most recent post was converted 
from base64).

The original message has these relevant headers (among others)
   Date: Mon, 18 Feb 2002 11:29:39 -0800
Content-Transfer-Encoding: 8bit
   Subject: [Snort-users] spp_unidecode false positive

basicaly he comments that these alerts are going off for packets from his 
network heading to compaq and ingram micro websites.. Sounds like compaq 
and ingram (amongst many others) use submissions that contain all kinds of 
wacky byte patterns. I've found these alerts to be quite noisy myself.

As for what to do about the "false" positives, I personally use http_decode 
with those particular alerts disabled (as someone else already 
suggested).  The webserver I'm protecting is fairly minimal and has no CGIs 
running on it, so these aren't really a major concern to me. From what I 
understand unidecode is still a bit on the experimental side anyway..

preprocessor http_decode: 80 -unicode -cginull
<comment block>
# preprocessor unidecode: 80 -unicode -cginull

I would only consider turning these on for a snort box which will only see 
traffic which is bound for your webserver, it's just too noisy if client 
PCs are in the traffic.

At 01:13 PM 3/4/2002 -0800, John Sage wrote:
>On Mon, Mar 04, 2002 at 10:56:11AM -0800, Ben Keepper wrote:
> > I have posted several times all over webdom and have not recieved a
> > single reply to this question:
>That's funny..
>I have about 370 emails in my mbox, and when I sort by sender name,
>your name comes only once, on this post...
> > 
> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÒžŠíþë®ÉšŠX§‚X¬µ)è®ßî±êìþX¬¶Ïì¢êÜyú+ïçzѨ¶‹aŠÅ.Ú
>- John

More information about the Snort-users mailing list