Snort mailing list archives
Re: DOUBLE DECODING ATTACK
From: Eric Hines <eric.hines () appliedwatch com>
Date: Fri, 13 Oct 2006 08:43:24 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julien, You will want to tune your http_inspect preprocessor by creating Web Server profiles for each of your web servers. Documentation is available at http://www.snort.org/docs/snort_htmanuals/htmanual_260/node11.html#SECTION003111000000000000000 Read and understand the different http_inspect_server options and decide which ones to use. Example: preprocessor http_inspect_server: server 10.1.1.1 \ ports { 80 3128 8080 } \ flow_depth 0 \ ascii no \ double_decode yes \ non_rfc_char { 0x00 } \ chunk_length 500000 \ non_strict \ no_alerts Best Regards, Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Email: eric.hines () appliedwatch com Address: 1095 Pingree Road Suite 221 Crystal Lake, IL 60014 Tel: (877) 262-7593 ext:327 Local: (847) 854-5831 Fax: (847) 854-5106 Web: http://www.appliedwatch.com - -------------------------------------------------- Security Management for the Open Source Enterprise Julien VARLET wrote:
Hi, I get a lot of DOUBLE DECODING ATTACK when http preprocessor is active, but it is only false positives... I do not want to desactivate http preprocessor. How can I do ? Thanks. To: snort.user () gmail com snort-users () lists sourceforge net snort-devel () lists sourceforge net ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFL5f71va6QYTV0EMRAvwaAKCoCHH/cbIzKAhgdZgq3zvXnPrfLgCdGp4o jz1WC2zsEVhOeOAJ0W0w+sI= =wqXQ -----END PGP SIGNATURE-----
Attachment:
eric.hines.vcf
Description:
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOUBLE DECODING ATTACK Julien VARLET (Oct 13)
- Re: DOUBLE DECODING ATTACK Joel Esler (Oct 13)
- Re: DOUBLE DECODING ATTACK Eric Hines (Oct 13)