Snort mailing list archives
Re: http_inspect tuning issue
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 03 Jul 2012 01:31:18 -0400
On 7/2/2012 18:53, Castle, Shane wrote:
I am getting thousands of 120:8 alerts (http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE) and I can't figure out how to tune http_inspect so that they aren't triggered. Any info on this would be appreciated.
why would you want to tune them out? what do your pcaps (packet captures) show? this, to me, stinks of some sort of consolidated attack on your servers or possibly of trying to use them in an attack against another server or servers... i say this while looking at the thousands of attacks that my systems repel every day which are trying to use my servers against other servers... the main key factor in my case is that they are caught and automatically blocked before they can infiltrate my servers... yes, this is "slightly" against the normal flow processing of monitoring IDS/IPS alerts but it is the process that i and those i support have chosen ;) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_inspect tuning issue Castle, Shane (Jul 02)
- Re: http_inspect tuning issue waldo kitty (Jul 02)
- Re: http_inspect tuning issue Castle, Shane (Jul 03)
- Re: http_inspect tuning issue Joel Esler (Jul 03)
- Re: http_inspect tuning issue waldo kitty (Jul 03)
- Re: http_inspect tuning issue Sunny James Fugate (Jul 03)
- Re: http_inspect tuning issue Joel Esler (Jul 04)
- Re: http_inspect tuning issue Castle, Shane (Jul 03)
- Re: http_inspect tuning issue waldo kitty (Jul 02)
- <Possible follow-ups>
- Re: http_inspect tuning issue Lay, James (Jul 03)
- Re: http_inspect tuning issue Castle, Shane (Jul 03)