[Snort-users] Excluding hosts from spp_unicode

John Bradberry jbradberry at ...5823...
Sat May 11 20:07:19 EDT 2002



Our team employs snort 1.8.6 (Build 105) with spp_unicode enabled.

Our firewall address is

snort is run with the -F option calling this bpf:

'not src host and not dst port 80'

The config includes:
preprocessor portscan-ignorehosts:[]

However, this configuration still results in spp_unicode alerts from outbound http traffic
passing through our firewall []:

May 10 11:07:37 sensor [110:4:1] spp_unidecode: Invalid Unicode String detected <fxp2>
{TCP} -> external_host:80

Any idea on how to exclude a host from spp_unicode?  I've read the FAQ and looked at
spp_unicode.c with no additional clues.  I've also tried several incantations of the bpf
filter.  Assistance is much appreciated.

Thank you and best regards.

John Bradberry
The Greentree Group

More information about the Snort-users mailing list