DOUBLE DECODING ATTACK
-
Is there a way disable this rule i have problems with most websites because of this stupid rule . This Started to have more alerts and blocks after i got my gigabit fibre package !
-
Is there a way disable this rule i have problems with most websites because of this stupid rule . This Started to have more alerts and blocks after i got my gigabit fibre package !
Search the forums for "Suppress rules" or see the Snort Faq on how to use the Tab.
@NightHawk you have snort running on a gigabit connection ?
-
Is there a way disable this rule i have problems with most websites because of this stupid rule . This Started to have more alerts and blocks after i got my gigabit fibre package !
I dont know if your running a server or not, If your seeing these alerts just surfing the internet just add a fake "http server" in the "snort_define_servers.php" tab.
Dont forget to define the ports too.Moreover, you can edit the snort.inc file and add "double_decode alerts off" to the "preprocessor http_inspect_server:" part.
Example:
TYPE: "ee /usr/local/pkg/snort/snort.inc"
Find "preprocessor http_inspect_server:"