[Snort-users] no more "unicode attack detected" alerts

Gary Merrick gary.merrick at ...741...
Sat Jan 25 14:08:02 EST 2003


Since upgrading from Snort 1.8.7 to 1.9.0, I've stopped getting the
"unicode attack detected" alerts that I'm used to seeing.  My Apache web
logs show the Code Red or Nimda worms are still connecting, but Snort
doesn't seem to detect it.

I have the web-iis.rules module enabled.  And I'm getting other types of
alerts, so my network variables seem to be OK.  The new 1.9.0 config
file includes some new http decode stuff, and I've tried using it as
such (below), or commenting it out completely, neither way gets me the
unicode alerts.

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

I know I'm overlooking something, and was hoping somebody out there
could help point it out.

TIA!
Gary





More information about the Snort-users mailing list