Next: 4.14 Why do certain
Up: 4 Rules and Alerts
Previous: 4.12 Snort says BACKDOOR
It's a part of the http preprocessor. Basically, if the http decoding
routine finds a %00 in an http request, it will alert with this message.
Sometimes you may see false positives with sites that use cookies with
urlencoded binary data, or if you're scanning port 443 and picking up
SSLencrypted traffic . If you're logging alerted packets you can check
the actual string that caused the alert. Also, the unicode alert is
subject to the same false positives with cookies and SSL. Having the packet
dumps is the only way to tell for sure if you have a real attack on your
hands, but this is true for any content-based alert.
|
