Hi, snort often detects this attack on my network, but it always is a False Positive. The signature isn't very reliable I think. Look out for more suspicious incidents of break-in attempts.
Mar 27 18:11:49 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61018 -> 195.44.254.18:80 Mar 27 18:12:00 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:00 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:02 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:02 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:03 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:08 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:08 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:10 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61021 -> 205.188.245.116:80 Mar 27 18:12:10 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61021 -> 205.188.245.116:80 -- Togan Muftuoglu
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47