Snort mailing list archives
Re: double decoding attack
From: Sean Lazar <slazar () cruzio com>
Date: Mon, 01 Mar 2004 17:20:36 -0800
Snort.conf comes with var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
you could change the rule so that excludes aim servers. like: alert tcp !$AIM_SERVERS any -> $HOME_NET any
Sean Ben Beeson wrote:
Mark, I see this every day when my daughter gets on the computer. She uses AOL IM on a Mac, and my snort logs are full of thoses double decode attacks you mentioned. If anybody can figure out how to address that, I would be very appreciative because it would make my logs much more legible.Ben------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- double decoding attack Mark Olbert (Feb 29)
- <Possible follow-ups>
- Re: double decoding attack Ben Beeson (Mar 01)
- Re: double decoding attack Sean Lazar (Mar 01)