Snort mailing list archives
High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY
From: Rowell Dionicio <RDionicio () infracore net>
Date: Mon, 28 Jul 2014 15:23:36 +0000
I'm getting a lot of false positives on: http_inspect: OVERSIZE REQUEST-URI DIRECTORY I know it's a preprocessor analyzing http traffic where the directory string is longer than the max configured but almost all that I have seen are legitimate web traffic. Does this mean most of the web traffic is just pushing lots of characters into the directory string making this inspection mostly useless? It seems that creating an alert that looks for something, a vulnerability, within the content using pcre would make more sense. Do most of you suppress these alerts or increase the directory length? -Rowell
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY Rowell Dionicio (Jul 28)
- Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY waldo kitty (Jul 28)