Snort mailing list archives
Re: Logging URI too long
From: Nelo Belda <nbelda () gmail com>
Date: Thu, 31 May 2012 18:08:25 +0200
I apologize for confusion. My question is not about URI truncation but is about logging URI request on alerts triggered by server responses. Why are URIs logged when error 500 occurs and not when is 414? Today, I've detected an alert with full URI that was triggered by error 414 so I think URIs were not logged due to memory insufficiency or any other reason. Maybe I is due to a low memcap. And yes, URI was 2048 chars length. Thank you PS: "Un saludo" means "Regards" in spanish. It isn't my name ;) 2012/5/31 Bhagya Bantwal <bbantwal () sourcefire com>
Hello Un saludo, The URI is truncated before logging to u2. There is no alert when URI is too long. The alert 119:25 is for long hostname. If you have an URI that is not being logged, you can send us the pcap for it. Thanks! -B On Tue, May 22, 2012 at 7:55 AM, Nelo Belda <nbelda () gmail com> wrote:Hi all, I realized a behaviour in Snort that I want to share with all of you.Snortis now logging URI and Hostname as Extra Data but, what if URI is toolong?I've seen alerts related with error 500 that uri is present but whenalertis 414 (URI too long) there's no extra data. I've made a patch in BASE to show Extra Data Info and tried withu2spewfooas well but it seems that in this case it's not logged. That post says: "When a HTTP Request URI is greater than 2048 or when a HTTP hostname (specified in the "Host" Request header) is greater than 256, Snort willlogthe truncated the URI and/or hostname. A preprocessor alert with GID:119andSID:25 is generated when hostname exceeds 256 bytes." Where is truncated? How can I get Extra Data of a "URI Too Long" alert?Isit logged in that case? Best regards Un saludo------------------------------------------------------------------------------Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!
Traduce<http://www.wordreference.com/es/translation.asp?tranword=Why%20are%20URIs%20logged%20when%20error%20500%20occurs%20and%20not%20when%20#article>
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Logging URI too long Nelo Belda (May 22)
- Re: Logging URI too long Bhagya Bantwal (May 31)
- Re: Logging URI too long Nelo Belda (May 31)
- Re: Logging URI too long Bhagya Bantwal (May 31)