[Snort-users] DOUBLE DECODING ATTACK

Briggs, Bruce Bruce.Briggs at ...13183...
Thu Aug 18 12:48:36 EDT 2005


You use threshold.conf to disable these preprocessor alerts. 

suppress gen_id 119, sig_id 2     #  disable http_inspect: DOUBLE
DECODING ATTACK  alerts

Make sure that threshold.conf is enabled in your snort.conf.

Bruce

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of hans
Sent: Thursday, August 18, 2005 1:04 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] DOUBLE DECODING ATTACK


hi snorters 

i run snort 2.3.2 on solaris 9 
in the logs i see  a lot of entries
with text: DOUBLE DECODING ATTACK

nearly all of the entries are generated 
by the source ip-adress of my proxy. 

so i assume, i didn't setup snort correctly.

in snort.conf i did define variable HOME_NET
and also var EXTERNAL_NET !$HOME_NET 
HOME_NET is defined as super-net of 8 c-class ( /21 ) 
where proxy-ip is included.

i start snort with option -h and my network.

or is there a way to disable this rule ? 

best regards 
hans 

-- 



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing &
QA
Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list