is there also a way to correct the behaviour
only log from $EXTERNAL_NET to $HOME_NET
and not also both directions ?
best regards
hans
--
On Thu, Aug 18, 2005 at 03:21:01PM -0400, Briggs, Bruce wrote:
You use threshold.conf to disable these preprocessor alerts.
suppress gen_id 119, sig_id 2 # disable http_inspect: DOUBLE
DECODING ATTACK alerts
Make sure that threshold.conf is enabled in your snort.conf.
Bruce
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of hans
Sent: Thursday, August 18, 2005 1:04 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] DOUBLE DECODING ATTACK
hi snorters
i run snort 2.3.2 on solaris 9
in the logs i see a lot of entries
with text: DOUBLE DECODING ATTACK
nearly all of the entries are generated
by the source ip-adress of my proxy.
so i assume, i didn't setup snort correctly.
in snort.conf i did define variable HOME_NET
and also var EXTERNAL_NET !$HOME_NET
HOME_NET is defined as super-net of 8 c-class ( /21 )
where proxy-ip is included.
i start snort with option -h and my network.
or is there a way to disable this rule ?
best regards
hans
--
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
