Snort mailing list archives
Re: Logging URI too long
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Thu, 31 May 2012 11:17:42 -0400
Hello Un saludo, The URI is truncated before logging to u2. There is no alert when URI is too long. The alert 119:25 is for long hostname. If you have an URI that is not being logged, you can send us the pcap for it. Thanks! -B On Tue, May 22, 2012 at 7:55 AM, Nelo Belda <nbelda () gmail com> wrote:
Hi all, I realized a behaviour in Snort that I want to share with all of you. Snort is now logging URI and Hostname as Extra Data but, what if URI is too long? I've seen alerts related with error 500 that uri is present but when alert is 414 (URI too long) there's no extra data. I've made a patch in BASE to show Extra Data Info and tried with u2spewfoo as well but it seems that in this case it's not logged. That post says: "When a HTTP Request URI is greater than 2048 or when a HTTP hostname (specified in the "Host" Request header) is greater than 256, Snort will log the truncated the URI and/or hostname. A preprocessor alert with GID:119 and SID:25 is generated when hostname exceeds 256 bytes." Where is truncated? How can I get Extra Data of a "URI Too Long" alert? Is it logged in that case? Best regards Un saludo ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Logging URI too long Nelo Belda (May 22)
- Re: Logging URI too long Bhagya Bantwal (May 31)
- Re: Logging URI too long Nelo Belda (May 31)
- Re: Logging URI too long Bhagya Bantwal (May 31)