[Snort-users] bare byte unicode encoding

psitton at ...9090... psitton at ...9090...
Thu Aug 18 10:08:36 EDT 2005


I've been using snort for a while and I've been seeing this
preprocessor based alert that's been confusing me. What has always
happened on my corp network is that hundreds of inside addresses
generate alerts going to the outside (mostly). users going to ebay,
amazon and hundreds of other target sites generate this. Typically in
one hour I'll usually get 3 to 4 thousand alerts from several hundred
inside source addresses going to 3 to 4 hundred different target
addresses. The only real info I have on this is in the
README.http_inspect. This has been happening for quite a while and I'm
having problems trying to figure this one out. Currently using 2.4.0
running on debian 3 and using the VRT rule set. Not sure where to go
from here.

Pat

-- 
mailto:psitton at ...9090...





More information about the Snort-users mailing list