Re: [Snort-users] Double Decoding Attack bad?

http_inspect alerts are important.

They aren't false positives, they are actually triggering on traffic, you just 
may not understand what is going on in the traffic.

1)  Set your variables.  HOME_NET, HTTP_SERVERS, etc...  should all be set to 
what is relevant in your network.
2)  Tune your web servers that are protected by Snort in a line by line basis 
in your http_inspect preprocessor.  Use your profiles.  (iis, apache, etc) This 
is key.

Then suppress what you need to.  However, just because alerts are coming from a 
preprocessor doesn't mean they are any less important then the rules.  These 
are all alerts that still need to be reviewed.

J 


On Thu, Nov 15, 2007 at 09:41:20AM -0500, it looks like Chris Libby sent me:
>    I had been getting alerts on this and various other HTTP_INSPECT attacks
>    all the time.  Most were from one internal computer to another (typically
>    Word/Excel opening a document from Sharepoint), and a few from a Mail2Go
>    package out to the Internet.  Too many false positives to be useful.
>    However, you may want to see what computers this is coming from and look
>    at the traffic for yourself before you turn it off.
>
>    On Nov 15, 2007 7:09 AM, The New York NOC Inc. <[1]andy@thenynoc.com>
>    wrote:
>
>      Hey everyone,
>
>      I get a lot of (http_inspect) Double Decoding Attack  events.  Is this
>      bad?  There isn't too much information on this so any help would be
>      appreciated.
>
>      Thanks
>      Andy
>
>
>      -------------------------------------------------------------------------
>      This SF.net email is sponsored by: Splunk Inc.
>      Still grepping through log files to find problems?  Stop.
>      Now Search log events and configuration files using AJAX and a browser.
>      Download your FREE copy of Splunk now >> [2]http://get.splunk.com/
>      _______________________________________________
>      Snort-users mailing list
>      [3]Snort-users@lists.sourceforge.net
>      Go to this URL to change user options or unsubscribe:
>      [4]https://lists.sourceforge.net/lists/listinfo/snort-users
>      Snort-users list archive:
>      [5]http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>    --
>    Chris Libby ([6]chris.a.libby@gmail.com)
>
> References
>
>    Visible links
>    1. mailto:andy@thenynoc.com
>    2. http://get.splunk.com/
>    3. mailto:Snort-users@lists.sourceforge.net
>    4. https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users
>    5. http://www.geocrawler.com/redir-sf.php3?list=snort-users
>    6. mailto:chris.a.libby@gmail.com

> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/

> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users







-----
joel esler 
D4E0 D59F D2C2 234E 6CEF  05E7 29B0 92C9 71DC 92DE

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users