[Snort-users] no more "unicode attack detected" alerts
gary.merrick at ...741...
Sat Jan 25 14:08:02 EST 2003
Since upgrading from Snort 1.8.7 to 1.9.0, I've stopped getting the
"unicode attack detected" alerts that I'm used to seeing. My Apache web
logs show the Code Red or Nimda worms are still connecting, but Snort
doesn't seem to detect it.
I have the web-iis.rules module enabled. And I'm getting other types of
alerts, so my network variables seem to be OK. The new 1.9.0 config
file includes some new http decode stuff, and I've tried using it as
such (below), or commenting it out completely, neither way gets me the
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
I know I'm overlooking something, and was hoping somebody out there
could help point it out.
More information about the Snort-users