[Snort-users] Excluding hosts from spp_unicode

John Bradberry jbradberry at ...5823...
Sat May 11 20:07:19 EDT 2002


Hello:

Background:

Our team employs snort 1.8.6 (Build 105) with spp_unicode enabled.

Our firewall address is 10.0.0.1.

snort is run with the -F option calling this bpf:

'not src host 10.0.0.1 and not dst port 80'

The config includes:
preprocessor portscan-ignorehosts:[10.0.0.1/32]

However, this configuration still results in spp_unicode alerts from outbound http traffic
passing through our firewall [10.0.0.1]:

May 10 11:07:37 sensor [110:4:1] spp_unidecode: Invalid Unicode String detected <fxp2>
{TCP} 10.0.0.1:27659 -> external_host:80

Any idea on how to exclude a host from spp_unicode?  I've read the FAQ and looked at
spp_unicode.c with no additional clues.  I've also tried several incantations of the bpf
filter.  Assistance is much appreciated.

Thank you and best regards.

--
John Bradberry
214.312.4449
The Greentree Group







More information about the Snort-users mailing list