[Snort-users] DOUBLE DECODING ATTACK

hans rosa.schwein at ...12989...
Thu Aug 18 10:19:31 EDT 2005


hi snorters 

i run snort 2.3.2 on solaris 9 
in the logs i see  a lot of entries
with text: DOUBLE DECODING ATTACK

nearly all of the entries are generated 
by the source ip-adress of my proxy. 

so i assume, i didn't setup snort correctly.

in snort.conf i did define variable HOME_NET
and also var EXTERNAL_NET !$HOME_NET 
HOME_NET is defined as super-net of 8 c-class ( /21 ) 
where proxy-ip is included.

i start snort with option -h and my network.

or is there a way to disable this rule ? 

best regards 
hans 

-- 





More information about the Snort-users mailing list