Re: Logging URI too long

[Nelo Belda <nbelda () gmail com>]

I apologize for confusion. My question is not about URI truncation but is
about logging URI request on alerts triggered by server responses. Why are
URIs logged when error 500 occurs and not when is 414?

Today, I've detected an alert with full URI that was triggered by error 414
so I think URIs were not logged due to memory insufficiency or any other
reason. Maybe I is due to a low memcap. And yes, URI was 2048 chars length.

Thank you

PS: "Un saludo" means "Regards" in spanish. It isn't my name ;)

2012/5/31 Bhagya Bantwal <bbantwal () sourcefire com>

> Hello Un saludo,
>
> The URI is truncated before logging to u2. There is no alert when URI
> is too long. The alert 119:25 is for long hostname.
>
> If you have an URI that is not being logged, you can send us the pcap for
> it.
>
> Thanks!
>
> -B
>
> On Tue, May 22, 2012 at 7:55 AM, Nelo Belda <nbelda () gmail com> wrote:
> > Hi all,
> >
> > I realized a behaviour in Snort that I want to share with all of you.
> Snort
> > is now logging URI and Hostname as Extra Data but, what if URI is too
> long?
> > I've seen alerts related with error 500 that uri is present but when
> alert
> > is 414 (URI too long) there's no extra data.
> >
> > I've made a patch in BASE to show Extra Data Info and tried with
> u2spewfoo
> > as well but it seems that in this case it's not logged. That post says:
> >
> > "When a HTTP Request URI is greater than 2048 or when a HTTP hostname
> > (specified in the "Host" Request header) is greater than 256, Snort will
> log
> > the truncated the URI and/or hostname. A preprocessor alert with GID:119
> and
> > SID:25 is generated when hostname exceeds 256 bytes."
> >
> > Where is truncated? How can I get Extra Data of a "URI Too Long" alert?
> Is
> > it logged in that case?
> >
> > Best regards
> > Un saludo
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!

Traduce<http://www.wordreference.com/es/translation.asp?tranword=Why%20are%20URIs%20logged%20when%20error%20500%20occurs%20and%20not%20when%20#article>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!