Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 4.19 How do I Up: 4 Rules and Alerts Previous: 4.17 What the heck

4.18 I am getting too many ``IIS Unicode attack detected'' and/or ``CGI Null Byte attack detected'' false positives. How can I turn this detection off?

These messages are produced by the http_decode preprocessor. If you wish to turn these checks off, add -unicode or -cginull to your http_decode preprocessor line respectively. 

preprocessor http_decode: 80 8080 -unicode -cginull

Your own internal users normal surfing can trigger these alerts in the preprocessor. Netscape in particular has been known to trigger them.

Instead of disabling them,try a BPF filter to ignore your outbound http traffic such as: 

snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80)

This has worked very well for us over a period of 5-6 months and Snort is still very able to decode actual and dangerous cgi null and unicode attacks on our public web servers.


Nigel Houghton 2006-10-02
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.