Snort mailing list archives
RE: what triggers these?
From: "Kretzer, Jason R (Big Sandy)" <jason.kretzer () kctcs edu>
Date: Wed, 12 Oct 2005 11:24:41 -0400
Wait a minute, ignore the 302 code stuff below. This is expected behavior. Sorry about that. -Jason
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Kretzer, Jason R (Big Sandy) Sent: Wednesday, October 12, 2005 10:54 AM To: Ralf Spenneberg Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] what triggers these?[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]This is caused by the http_inspect preprocessor. This preprocessor analyzes at least part of your HTTP traffic. It found a uriin an httprequest where the directory string was longer than the maximum configured: http_inspect: oversize_dir_lengthWhat is odd is that all I am getting in my apache access.log is 218.111.85.66 - - [09/Oct/2005:09:10:46 -0400] "GET / HTTP/1.0" 302 382 "-" "-" 218.111.85.66 - - [09/Oct/2005:09:10:56 -0400] "GET / HTTP/1.0" 302 382 "-" "-" 67.140.25.161 - - [11/Oct/2005:06:53:38 -0400] "GET / HTTP/1.0" 302 386 "-" "-" 67.140.25.161 - - [11/Oct/2005:07:08:47 -0400] "GET / HTTP/1.0" 302 386 "-" "-" 67.140.25.161 - - [11/Oct/2005:07:17:16 -0400] "GET / HTTP/1.0" 302 386 "-" "-" 67.140.25.161 - - [11/Oct/2005:08:08:20 -0400] "GET / HTTP/1.0" 302 386 "-" "-" Is this an attack of some sort? I am getting code 302 which is 302 - Found The requested resource has been found under a different URI but the client should continue to use the original URI. Should that not be 414? If it helps, here is the full text of one of the alerts [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] 10/11-06:53:38.450993 67.140.25.161:2729 -> this.is.my.ip:80 TCP TTL:115 TOS:0x0 ID:32819 IpLen:20 DgmLen:1420 DF ***A**** Seq: 0x4F16C405 Ack: 0xD13253C Win: 0xFAF0 TcpLen: 20 -Jason-----Original Message----- From: Ralf Spenneberg [mailto:lists () spenneberg org] Sent: Wednesday, October 12, 2005 9:08 AM To: Kretzer, Jason R (Big Sandy) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] what triggers these? Hi Jason, Am Dienstag, den 11.10.2005, 09:26 -0400 schrieb Kretzer,Jason R (BigSandy):[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]This is caused by the http_inspect preprocessor. This preprocessor analyzes at least part of your HTTP traffic. It found a uriin an httprequest where the directory string was longer than the maximum configured: http_inspect: oversize_dir_length[**] [1:1416:9] SNMP broadcast trap [**]Your printer is configured to send out SNMP BroadcastTraps. If you donot use any software that listens to SNMP Traps I would advise disabling it. If you do, you might want to remove Signature 1416 in Snort snmp.rules: alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;)The first is coming from the outside world, the second iscoming froma network printer. Are these anything to be really worried about?Well depending on the value you used foroversize_dir_length and yourwebserver it might be normal or unusual. Cheers, Ralf -- Ralf Spenneberg OpenSource Training http://www.opensource-training.de Webereistr. 1 48565 Steinfurt Germany------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- what triggers these? Kretzer, Jason R (Big Sandy) (Oct 11)
- Re: what triggers these? Ralf Spenneberg (Oct 12)
- <Possible follow-ups>
- RE: what triggers these? Kretzer, Jason R (Big Sandy) (Oct 12)
- RE: what triggers these? Kretzer, Jason R (Big Sandy) (Oct 12)