[Snort-users] DOUBLE DECODING ATTACK

Eric Hines eric.hines at ...8860...
Fri Oct 13 09:43:24 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julien,

You will want to tune your http_inspect preprocessor by creating Web
Server profiles for each of your web servers. Documentation is available
at
http://www.snort.org/docs/snort_htmanuals/htmanual_260/node11.html#SECTION003111000000000000000

Read and understand the different http_inspect_server options and decide
which ones to use.

Example:

preprocessor http_inspect_server: server 10.1.1.1 \
                        ports { 80 3128 8080 } \
                        flow_depth 0 \
                        ascii no \
                        double_decode yes \
                        non_rfc_char { 0x00 } \
                        chunk_length 500000 \
                        non_strict \
                        no_alerts



Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines at ...8860...
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise





Julien VARLET wrote:
> Hi,
> 
> I get a lot of DOUBLE DECODING ATTACK when http preprocessor is active, but it is only false positives... I do not want to desactivate http preprocessor. How can I do ?
> 
> Thanks.
> 
> 
> To: snort.user at ...11827...
>     snort-users at lists.sourceforge.net
>     snort-devel at lists.sourceforge.net
> 
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFL5f71va6QYTV0EMRAvwaAKCoCHH/cbIzKAhgdZgq3zvXnPrfLgCdGp4o
jz1WC2zsEVhOeOAJ0W0w+sI=
=wqXQ
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20061013/1a3860de/attachment.vcf>


More information about the Snort-users mailing list