[Snort-users] Double Decoding Attack bad?

Chris Libby chris.a.libby at ...11827...
Thu Nov 15 09:41:20 EST 2007

I had been getting alerts on this and various other HTTP_INSPECT attacks all
the time.  Most were from one internal computer to another (typically
Word/Excel opening a document from Sharepoint), and a few from a Mail2Go
package out to the Internet.  Too many false positives to be useful.
However, you may want to see what computers this is coming from and look at
the traffic for yourself before you turn it off.

On Nov 15, 2007 7:09 AM, The New York NOC Inc. <andy at ...14226...> wrote:

>  Hey everyone,
> I get a lot of (http_inspect) Double Decoding Attack  events.  Is this
> bad?  There isn't too much information on this so any help would be
> appreciated.
> Thanks
> Andy
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Chris Libby (chris.a.libby at ...11827...)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20071115/4b3e93a0/attachment.html>

More information about the Snort-users mailing list