High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY

[Rowell Dionicio <RDionicio () infracore net>]

I'm getting a lot of false positives on: http_inspect: OVERSIZE REQUEST-URI DIRECTORY

I know it's a preprocessor analyzing http traffic where the directory string is longer than the max configured but 
almost all that I have seen are legitimate web traffic.

Does this mean most of the web traffic is just pushing lots of characters into the directory string making this 
inspection mostly useless? It seems that creating an alert that looks for something, a vulnerability, within the 
content using pcre would make more sense.

Do most of you suppress these alerts or increase the directory length?

-Rowell

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!