Snort mailing list archives
DOUBLE DECODING ATTACK
From: hans <rosa.schwein () ma yer at>
Date: Thu, 18 Aug 2005 19:04:00 +0200
hi snorters i run snort 2.3.2 on solaris 9 in the logs i see a lot of entries with text: DOUBLE DECODING ATTACK nearly all of the entries are generated by the source ip-adress of my proxy. so i assume, i didn't setup snort correctly. in snort.conf i did define variable HOME_NET and also var EXTERNAL_NET !$HOME_NET HOME_NET is defined as super-net of 8 c-class ( /21 ) where proxy-ip is included. i start snort with option -h and my network. or is there a way to disable this rule ? best regards hans -- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOUBLE DECODING ATTACK hans (Aug 18)
- <Possible follow-ups>
- RE: DOUBLE DECODING ATTACK Briggs, Bruce (Aug 18)
- Re: DOUBLE DECODING ATTACK hans (Aug 22)