[Snort-users] DOUBLE DECODING ATTACK

hans rosa.schwein at ...12989...
Mon Aug 22 12:07:16 EDT 2005


is there also a way to correct the behaviour 
only log from $EXTERNAL_NET to $HOME_NET 
and not also both directions ? 

best regards 
hans 

-- 



On Thu, Aug 18, 2005 at 03:21:01PM -0400, Briggs, Bruce wrote:
> You use threshold.conf to disable these preprocessor alerts. 
> 
> suppress gen_id 119, sig_id 2     #  disable http_inspect: DOUBLE
> DECODING ATTACK  alerts
> 
> Make sure that threshold.conf is enabled in your snort.conf.
> 
> Bruce
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of hans
> Sent: Thursday, August 18, 2005 1:04 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] DOUBLE DECODING ATTACK
> 
> 
> hi snorters 
> 
> i run snort 2.3.2 on solaris 9 
> in the logs i see  a lot of entries
> with text: DOUBLE DECODING ATTACK
> 
> nearly all of the entries are generated 
> by the source ip-adress of my proxy. 
> 
> so i assume, i didn't setup snort correctly.
> 
> in snort.conf i did define variable HOME_NET
> and also var EXTERNAL_NET !$HOME_NET 
> HOME_NET is defined as super-net of 8 c-class ( /21 ) 
> where proxy-ip is included.
> 
> i start snort with option -h and my network.
> 
> or is there a way to disable this rule ? 
> 
> best regards 
> hans 
> 
> -- 
> 




More information about the Snort-users mailing list