[Snort-users] DOUBLE DECODING ATTACK
Bruce.Briggs at ...13183...
Thu Aug 18 12:48:36 EDT 2005
You use threshold.conf to disable these preprocessor alerts.
suppress gen_id 119, sig_id 2 # disable http_inspect: DOUBLE
DECODING ATTACK alerts
Make sure that threshold.conf is enabled in your snort.conf.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of hans
Sent: Thursday, August 18, 2005 1:04 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] DOUBLE DECODING ATTACK
i run snort 2.3.2 on solaris 9
in the logs i see a lot of entries
with text: DOUBLE DECODING ATTACK
nearly all of the entries are generated
by the source ip-adress of my proxy.
so i assume, i didn't setup snort correctly.
in snort.conf i did define variable HOME_NET
and also var EXTERNAL_NET !$HOME_NET
HOME_NET is defined as super-net of 8 c-class ( /21 )
where proxy-ip is included.
i start snort with option -h and my network.
or is there a way to disable this rule ?
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Agile & Plan-Driven Development * Managing Projects & Teams * Testing &
Security * Process Improvement & Measurement *
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users