[Snort-users] DOUBLE DECODING ATTACK
rosa.schwein at ...12989...
Mon Aug 22 12:07:16 EDT 2005
is there also a way to correct the behaviour
only log from $EXTERNAL_NET to $HOME_NET
and not also both directions ?
On Thu, Aug 18, 2005 at 03:21:01PM -0400, Briggs, Bruce wrote:
> You use threshold.conf to disable these preprocessor alerts.
> suppress gen_id 119, sig_id 2 # disable http_inspect: DOUBLE
> DECODING ATTACK alerts
> Make sure that threshold.conf is enabled in your snort.conf.
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of hans
> Sent: Thursday, August 18, 2005 1:04 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] DOUBLE DECODING ATTACK
> hi snorters
> i run snort 2.3.2 on solaris 9
> in the logs i see a lot of entries
> with text: DOUBLE DECODING ATTACK
> nearly all of the entries are generated
> by the source ip-adress of my proxy.
> so i assume, i didn't setup snort correctly.
> in snort.conf i did define variable HOME_NET
> and also var EXTERNAL_NET !$HOME_NET
> HOME_NET is defined as super-net of 8 c-class ( /21 )
> where proxy-ip is included.
> i start snort with option -h and my network.
> or is there a way to disable this rule ?
> best regards
More information about the Snort-users