11-21-2012
21,
0
Join Date: Nov 2012
Last Activity: 30 November 2012, 10:41 AM EST
Posts: 21
Thanks Given: 4
Thanked 0 Times in 0 Posts
ok the situation is i have a IDS ( SourceFire ) is snort based and i have a completly normal snort rule, that looks for a escape character on normal HTTP request and he assumes that the type of request on some of the strings i have on my network are a exploit but in fact is not is just a HTTPS that escape the ASCII (a-f 0-9) in this case the rule looks for %1u content and in fact that character "u" exists in some of the requests in https for security reasons. I would like to say Snort if u see any HTTPS request dont use this rule or edit that rule and put only HTTP not on HTTPS transactions.