Snort mailing list archives

DOUBLE DECODING ATTACK

From: hans <rosa.schwein () ma yer at>
Date: Thu, 18 Aug 2005 19:04:00 +0200


hi snorters 

i run snort 2.3.2 on solaris 9 
in the logs i see  a lot of entries
with text: DOUBLE DECODING ATTACK

nearly all of the entries are generated 
by the source ip-adress of my proxy. 

so i assume, i didn't setup snort correctly.

in snort.conf i did define variable HOME_NET
and also var EXTERNAL_NET !$HOME_NET 
HOME_NET is defined as super-net of 8 c-class ( /21 ) 
where proxy-ip is included.

i start snort with option -h and my network.

or is there a way to disable this rule ? 

best regards 
hans 

-- 



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DOUBLE DECODING ATTACK hans (Aug 18)
- <Possible follow-ups>
- RE: DOUBLE DECODING ATTACK Briggs, Bruce (Aug 18)
  - Re: DOUBLE DECODING ATTACK hans (Aug 22)