Snort mailing list archives
http_inspect ?'s
From: John Hally <JHally () epnet com>
Date: Tue, 26 Jul 2005 09:13:03 -0400
Hello All, I've been playing around with the http_inspect preprocessor and let it go over night with what I think is a pretty vanilla setup: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 detect_anomalous_servers preprocessor http_inspect_server: server default profile all ports { 80 } I now have a huge amount of alerts for Double Decoding Attack, Bare Byte Unicode encoding, and to a lesser extent, IIS Unicode Codepoint Encoding. I've looked through a good amount of these and the actual traffic seems to be legit. Is it possible that the application we have running on a farm of IIS servers is using these abnormal encodes/decodes, or am I potentially missing something? Thanks in advance. John.
Current thread:
- http_inspect ?'s John Hally (Jul 26)