Snort mailing list archives
Re: Where to configure/change rules for this one?
From: Neil Dickey <neil () geol niu edu>
Date: Thu, 3 May 2001 12:22:58 -0500 (CDT)
"Ed Greshko" <Edward.M.Greshko () syntegra com> wrote:
[**] spp_http_decode: IIS Unicode attack detected [**] 05/03-23:12:18.641497 129.179.xx.xx:1171 -> 202.85.139.157:80 TCP TTL:127 TOS:0x0 ID:2039 IpLen:20 DgmLen:484 DF ***AP*** Seq: 0x6D4A2C44 Ack: 0x34EF9A9F Win: 0x2238 TcpLen: 20 As far as I can tell this is normal surfing by someone running Win2K English version connecting to a site here in Taiwan and reading Chinese site in Hong Kong. The messages don't appear to be coming from the included rules.
They aren't. Look for a line in your configuration file that looks like this: preprocessor http_decode: 80 8080 Those entries are coming from the preprocessor. You need to turn off the "unicode" capability by changing the line to look like this: preprocessor http_decode: 80 8080 -unicode Then reset Snort to get it to re-read the configuration files. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Where to configure/change rules for this one? Neil Dickey (May 03)
- RE: Where to configure/change rules for this one? Ed Greshko (May 03)
- <Possible follow-ups>
- RE: Where to configure/change rules for this one? Neil Dickey (May 03)