Martin, This was discussed a few months back on the SuSe mailing list. The answer given there is pasted below. I'm sure a net search will yield more info. Hope this helps.
Posted to Suse list in March 2001: This is most likely triggered by someone from your internal LAN accessing a web site with an occasional unicode overlong prefix (probably stored in a cookie or something). >>> Martin F Krafft <[EMAIL PROTECTED]> 09/06/01 02:35PM >>> i use snort and logcheck, and there is a windoze machine (NT4) on my subnet (unfortunately), and i constantly get this message from snort via logcheck. wtf??? ----- Forwarded message from root <[EMAIL PROTECTED]> ----- Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Sep 6 22:00:34 seamus snort: spp_http_decode: IIS Unicode attack detected: 192.168.14.22:1594 -> 62.109.129.165:80 ----- End forwarded message ----- there are *no* attacks, i verified that, *and* we are firewalled, *and* there is no IIS on either. what's up? martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] -- i have the power to channel my imagination into ever-soaring levels of suspicion and paranoia. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
