Snort mailing list archives
RE: spp_http_decode: CGI Null Byte attack detected
From: Dan Fiorito <danf () clearnetwork com>
Date: Tue, 29 May 2001 16:13:54 -0400
http://www.snort.org/FAQ.html --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte attack detected" false positives. How can I turn this detection off? A: These messages are produced by the http_decode preprocessor. If you wish to turn these checks off, add -unicode or -cginull to your http_decode preprocessor line respectively. preprocessor http_decode: 80 8080 -unicode -cginull -----Original Message----- From: John Johnson [mailto:john () cyberbytesbbs com] Sent: Tuesday, May 29, 2001 3:29 PM To: snort-users () lists sourceforge net Subject: [Snort-users] spp_http_decode: CGI Null Byte attack detected -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 with snort 1.7 I am getting lot's of alerts for CGI Null Byte attacks and well there are not any! I can't locate this rule and was wondering if there was a way to deal with it. - -John -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBOxP4gQfP+qzR55XlEQLpZACeJGNfR8FpeVMTx9eTaASaRfVoUNMAnjQL w7qjCjc8h57viAHjwHLeh6Ta =fgJy -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: spp_http_decode: CGI Null Byte attack detected Dan Fiorito (May 29)