[Snort-users] your mail

gary douglas GM-Douglas at ...13400...
Wed Oct 18 13:38:36 EDT 2006


I also get a ton of these. I suppress them with the following. I have  
it in a threshold.conf file that is referenced in the bottom of the  
snort.conf

# stop (http_inspect) double decoding attack alerts.
suppress gen_id 119, sig_id 2

I wish there was a central location to get the gen_id of the all the  
different processes. So far I have found the following.

portscan = 122
http_inspect = 119
spp_frag3 = 123

Thank you
Gary Douglas


On Oct 18, 2006, at 10:22 AM, Phil Wood wrote:

> Could it be that your users are attacking websites?
>
> On Wed, Oct 18, 2006 at 03:19:51PM +0000, Julien VARLET wrote:
>> I have these problems when my users browse websites, so I cannot  
>> tunned it.
>>
>> -------- Original Message --------
>> Subject: Re: [Snort-users] DOUBLE DECODING ATTACK (13-oct.-2006  
>> 12:46)
>> From:    Joel Esler <joel.esler at ...1935...>
>> To:      jvarlet at ...12243...
>>
>>> Have you tuned your http_inspect_server lines to accurately reflect
>>> your http servers?
>>>
>>> J
>>>
>>>
>>> On Oct 13, 2006, at 6:12 AM, Julien VARLET wrote:
>>>
>>>> Hi,
>>>>
>>>> I get a lot of DOUBLE DECODING ATTACK when http preprocessor is
>>>> active, but it is only false positives... I do not want to
>>>> desactivate http preprocessor. How can I do ?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> To: snort.user at ...11827...
>>>>     snort-users at lists.sourceforge.net
>>>>     snort-devel at lists.sourceforge.net
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------- 
>>>> ---
>>>> ---
>>>> Using Tomcat but need to do more? Need to support web services,
>>>> security?
>>>> Get stuff done quickly with pre-integrated technology to make your
>>>> job easier
>>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
>>>> Geronimo
>>>> http://sel.as-us.falkag.net/sel?
>>>> cmd=lnk&kid=120709&bid=263057&dat=121642
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>> +------------------------------------------------------------------- 
>>> --+
>>> joel esler          senior security consultant          
>>> 1-706-627-2101
>>> Sourcefire    Security for the /Real/ World -- http:// 
>>> www.sourcefire.com
>>>         Snort - Open Source Network IPS/IDS -- http://www.snort.org
>>>           gpg key: http://demo.sourcefire.com/jesler.pgp.key
>>>             aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
>>> +------------------------------------------------------------------- 
>>> --+
>>>
>>>
>>>
>>> -------------------------------------------------------------------- 
>>> -----
>>> Using Tomcat but need to do more? Need to support web services,  
>>> security?
>>> Get stuff done quickly with pre-integrated technology to make  
>>> your job
>>> easier
>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
>>> Geronimo
>>> http://sel.as-us.falkag.net/sel? 
>>> cmd=lnk&kid=120709&bid=263057&dat=121642
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> -- 
> Phil Wood (cpw_at-sign_lanl.gov)
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20061018/07017178/attachment.html>


More information about the Snort-users mailing list