Re: http_inspect tuning issue

[waldo kitty <wkitty42 () windstream net>]

On 7/2/2012 18:53, Castle, Shane wrote:
> I am getting thousands of 120:8 alerts (http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE) and I can't 
> figure out how to tune http_inspect so that they aren't triggered. Any info on this would be appreciated.

why would you want to tune them out? what do your pcaps (packet captures) show? 
this, to me, stinks of some sort of consolidated attack on your servers or 
possibly of trying to use them in an attack against another server or servers...

i say this while looking at the thousands of attacks that my systems repel every 
day which are trying to use my servers against other servers... the main key 
factor in my case is that they are caught and automatically blocked before they 
can infiltrate my servers... yes, this is "slightly" against the normal flow 
processing of monitoring IDS/IPS alerts but it is the process that i and those i 
support have chosen ;)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!