OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [Snort-users] Http Preprocessor Question
From: Martin Roesch (roeschmd.prestige.net)
Date: Tue Nov 28 2000 - 17:23:31 CST


Erickson Brent W KPWA wrote:
>
> Hello fellow Snorters,
>
> I saw from the Whitehats site that the signatures for Microsoft IIS will not
> detect activity if the HTTP preprocessor is loaded.
>
> What are the drawbacks/advantages of disabling the HTTP preprocessor ??

You won't be able to detect encoded URI's.

If you're so inclined, you can download the latest version of it from the CVS
server and it should drop right in to the 1.6.3-patch2 code cleanly. The
latest version detects both NULL byte and UNICODE attacks automatically.

     -Marty

>
> Thank you for your help.
>
> Brent Erickson
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roeschmd.prestige.net
http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users