Snort mailing list archives

RE: what triggers these?

From: "Kretzer, Jason R (Big Sandy)" <jason.kretzer () kctcs edu>
Date: Wed, 12 Oct 2005 10:53:38 -0400

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]

This is caused by the http_inspect preprocessor. This preprocessor
analyzes at least part of your HTTP traffic. It found a uri in an http
request where the directory string was longer than the maximum
configured:
http_inspect: oversize_dir_length



What is odd is that all I am getting in my apache access.log is

218.111.85.66 - - [09/Oct/2005:09:10:46 -0400] "GET / HTTP/1.0" 302 382
"-" "-"
218.111.85.66 - - [09/Oct/2005:09:10:56 -0400] "GET / HTTP/1.0" 302 382
"-" "-"
67.140.25.161 - - [11/Oct/2005:06:53:38 -0400] "GET / HTTP/1.0" 302 386
"-" "-"
67.140.25.161 - - [11/Oct/2005:07:08:47 -0400] "GET / HTTP/1.0" 302 386
"-" "-"
67.140.25.161 - - [11/Oct/2005:07:17:16 -0400] "GET / HTTP/1.0" 302 386
"-" "-"
67.140.25.161 - - [11/Oct/2005:08:08:20 -0400] "GET / HTTP/1.0" 302 386
"-" "-"


Is this an attack of some sort?  I am getting code 302 which is 
302 - Found
The requested resource has been found under a different URI but the
client should continue to use the original URI. 

Should that not be 414?


If it helps, here is the full text of one of the alerts

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
10/11-06:53:38.450993 67.140.25.161:2729 -> this.is.my.ip:80
TCP TTL:115 TOS:0x0 ID:32819 IpLen:20 DgmLen:1420 DF
***A**** Seq: 0x4F16C405  Ack: 0xD13253C  Win: 0xFAF0  TcpLen: 20

-Jason

-----Original Message-----
From: Ralf Spenneberg [mailto:lists () spenneberg org] 
Sent: Wednesday, October 12, 2005 9:08 AM
To: Kretzer, Jason R (Big Sandy)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] what triggers these?

Hi Jason,

Am Dienstag, den 11.10.2005, 09:26 -0400 schrieb Kretzer, Jason R (Big
Sandy):

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]

This is caused by the http_inspect preprocessor. This preprocessor
analyzes at least part of your HTTP traffic. It found a uri in an http
request where the directory string was longer than the maximum
configured:
http_inspect: oversize_dir_length

[**] [1:1416:9] SNMP broadcast trap [**]

Your printer is configured to send out SNMP Broadcast Traps. If you do
not use any software that listens to SNMP Traps I would 
advise disabling
it. If you do, you might want to remove Signature 1416 in Snort
snmp.rules:
alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap";
reference:bugtraq,4088; reference:bugtraq,4089; 
reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1416; rev:9;)

 
The first is coming from the outside world, the second is

coming from

a network printer.  Are these anything to be really worried about?


Well depending on the value you used for oversize_dir_length and your
webserver it might be normal or unusual. 

Cheers,

Ralf
-- 
Ralf Spenneberg
OpenSource Training                     
http://www.opensource-training.de
Webereistr. 1                           48565 Steinfurt       
    Germany



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

what triggers these? Kretzer, Jason R (Big Sandy) (Oct 11)
- Re: what triggers these? Ralf Spenneberg (Oct 12)
- <Possible follow-ups>
- RE: what triggers these? Kretzer, Jason R (Big Sandy) (Oct 12)
- RE: what triggers these? Kretzer, Jason R (Big Sandy) (Oct 12)