I had been getting alerts on this and various other HTTP_INSPECT attacks all
the time. Most were from one internal computer to another (typically
Word/Excel opening a document from Sharepoint), and a few from a Mail2Go
package out to the Internet. Too many false positives to be useful.
However, you may want to see what computers this is coming from and look at
the traffic for yourself before you turn it off.
On Nov 15, 2007 7:09 AM, The New York NOC Inc. <andy@thenynoc.com> wrote:
Hey everyone,
I get a lot of (http_inspect) Double Decoding Attack events. Is this
bad? There isn't too much information on this so any help would be
appreciated.
Thanks
Andy
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Chris Libby (chris.a.libby@gmail.com)
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
