[Snort-users] Not feeling the LOVE
mkettler at ...4108...
Mon Mar 4 14:13:01 EST 2002
Actually I do have Ben's original post about the topic still in my inbox,
it was dated mid February, and is not mangled, but was mime-converted by my
mailserver (from quoted printable, but his most recent post was converted
The original message has these relevant headers (among others)
Date: Mon, 18 Feb 2002 11:29:39 -0800
Subject: [Snort-users] spp_unidecode false positive
basicaly he comments that these alerts are going off for packets from his
network heading to compaq and ingram micro websites.. Sounds like compaq
and ingram (amongst many others) use submissions that contain all kinds of
wacky byte patterns. I've found these alerts to be quite noisy myself.
As for what to do about the "false" positives, I personally use http_decode
with those particular alerts disabled (as someone else already
suggested). The webserver I'm protecting is fairly minimal and has no CGIs
running on it, so these aren't really a major concern to me. From what I
understand unidecode is still a bit on the experimental side anyway..
preprocessor http_decode: 80 -unicode -cginull
# preprocessor unidecode: 80 -unicode -cginull
I would only consider turning these on for a snort box which will only see
traffic which is bound for your webserver, it's just too noisy if client
PCs are in the traffic.
At 01:13 PM 3/4/2002 -0800, John Sage wrote:
>On Mon, Mar 04, 2002 at 10:56:11AM -0800, Ben Keepper wrote:
> > I have posted several times all over webdom and have not recieved a
> > single reply to this question:
>I have about 370 emails in my mbox, and when I sort by sender name,
>your name comes only once, on this post...
More information about the Snort-users