[Snort-users] Double Decoding Attack bad?

Joel Esler joel.esler at ...1935...
Thu Nov 15 09:54:16 EST 2007


http_inspect alerts are important.

They aren't false positives, they are actually triggering on traffic, you just may not understand what is going on in the traffic.

1)  Set your variables.  HOME_NET, HTTP_SERVERS, etc...  should all be set to what is relevant in your network.
2)  Tune your web servers that are protected by Snort in a line by line basis in your http_inspect preprocessor.  Use your profiles.  (iis, apache, etc) This is key.

Then suppress what you need to.  However, just because alerts are coming from a preprocessor doesn't mean they are any less important then the rules.  These are all alerts that still need to be reviewed.

J 


On Thu, Nov 15, 2007 at 09:41:20AM -0500, it looks like Chris Libby sent me:
>    I had been getting alerts on this and various other HTTP_INSPECT attacks
>    all the time.  Most were from one internal computer to another (typically
>    Word/Excel opening a document from Sharepoint), and a few from a Mail2Go
>    package out to the Internet.  Too many false positives to be useful.
>    However, you may want to see what computers this is coming from and look
>    at the traffic for yourself before you turn it off.
> 
>    On Nov 15, 2007 7:09 AM, The New York NOC Inc. <[1]andy at ...14226...>
>    wrote:
> 
>      Hey everyone,
> 
>      I get a lot of (http_inspect) Double Decoding Attack  events.  Is this
>      bad?  There isn't too much information on this so any help would be
>      appreciated.
> 
>      Thanks
>      Andy
> 
> 
>      -------------------------------------------------------------------------
>      This SF.net email is sponsored by: Splunk Inc.
>      Still grepping through log files to find problems?  Stop.
>      Now Search log events and configuration files using AJAX and a browser.
>      Download your FREE copy of Splunk now >> [2]http://get.splunk.com/
>      _______________________________________________
>      Snort-users mailing list
>      [3]Snort-users at lists.sourceforge.net
>      Go to this URL to change user options or unsubscribe:
>      [4]https://lists.sourceforge.net/lists/listinfo/snort-users
>      Snort-users list archive:
>      [5]http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
>    --
>    Chris Libby ([6]chris.a.libby at ...11827...)
> 
> References
> 
>    Visible links
>    1. mailto:andy at ...14226...
>    2. http://get.splunk.com/
>    3. mailto:Snort-users at lists.sourceforge.net
>    4. https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users
>    5. http://www.geocrawler.com/redir-sf.php3?list=snort-users
>    6. mailto:chris.a.libby at ...11827...

> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/

> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users







-----
joel esler 
D4E0 D59F D2C2 234E 6CEF  05E7 29B0 92C9 71DC 92DE




More information about the Snort-users mailing list