Snort mailing list archives

Re: DOUBLE DECODING ATTACK

From: Eric Hines <eric.hines () appliedwatch com>
Date: Fri, 13 Oct 2006 08:43:24 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julien,

You will want to tune your http_inspect preprocessor by creating Web
Server profiles for each of your web servers. Documentation is available
at
http://www.snort.org/docs/snort_htmanuals/htmanual_260/node11.html#SECTION003111000000000000000

Read and understand the different http_inspect_server options and decide
which ones to use.

Example:

preprocessor http_inspect_server: server 10.1.1.1 \
                        ports { 80 3128 8080 } \
                        flow_depth 0 \
                        ascii no \
                        double_decode yes \
                        non_rfc_char { 0x00 } \
                        chunk_length 500000 \
                        non_strict \
                        no_alerts



Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines () appliedwatch com
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise





Julien VARLET wrote:

Hi,

I get a lot of DOUBLE DECODING ATTACK when http preprocessor is active, but it is only false positives... I do not 
want to desactivate http preprocessor. How can I do ?

Thanks.


To: snort.user () gmail com
    snort-users () lists sourceforge net
    snort-devel () lists sourceforge net



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFL5f71va6QYTV0EMRAvwaAKCoCHH/cbIzKAhgdZgq3zvXnPrfLgCdGp4o
jz1WC2zsEVhOeOAJ0W0w+sI=
=wqXQ
-----END PGP SIGNATURE-----

Attachment: eric.hines.vcf
Description:

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DOUBLE DECODING ATTACK Julien VARLET (Oct 13)
- Re: DOUBLE DECODING ATTACK Joel Esler (Oct 13)
- Re: DOUBLE DECODING ATTACK Eric Hines (Oct 13)