|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [Snort-users] Http Preprocessor Question
From: Martin Roesch (roesch
md.prestige.net)Date: Tue Nov 28 2000 - 17:23:31 CST
- Next message: Arman Magluyan Telecom/SG: "RE: [Snort-users] tcp/510 probe"
- Previous message: John Pettitt: "Re: [Snort-users] 13 instances of ping bsd"
- In reply to: Erickson Brent W KPWA: "[Snort-users] Http Preprocessor Question"
- Reply: Martin Roesch: "Re: [Snort-users] Http Preprocessor Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Erickson Brent W KPWA wrote:
>
> Hello fellow Snorters,
>
> I saw from the Whitehats site that the signatures for Microsoft IIS will not
> detect activity if the HTTP preprocessor is loaded.
>
> What are the drawbacks/advantages of disabling the HTTP preprocessor ??
You won't be able to detect encoded URI's.
If you're so inclined, you can download the latest version of it from the CVS
server and it should drop right in to the 1.6.3-patch2 code cleanly. The
latest version detects both NULL byte and UNICODE attacks automatically.
-Marty
>
> Thank you for your help.
>
> Brent Erickson
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
-- Martin Roesch roesch
- Next message: Arman Magluyan Telecom/SG: "RE: [Snort-users] tcp/510 probe"
- Previous message: John Pettitt: "Re: [Snort-users] 13 instances of ping bsd"
- In reply to: Erickson Brent W KPWA: "[Snort-users] Http Preprocessor Question"
- Reply: Martin Roesch: "Re: [Snort-users] Http Preprocessor Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]