Re: what triggers these?

[Ralf Spenneberg <lists () spenneberg org>]

Hi Jason,

Am Dienstag, den 11.10.2005, 09:26 -0400 schrieb Kretzer, Jason R (Big
Sandy):
> [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
This is caused by the http_inspect preprocessor. This preprocessor
analyzes at least part of your HTTP traffic. It found a uri in an http
request where the directory string was longer than the maximum
configured:
http_inspect: oversize_dir_length


> [**] [1:1416:9] SNMP broadcast trap [**]
Your printer is configured to send out SNMP Broadcast Traps. If you do
not use any software that listens to SNMP Traps I would advise disabling
it. If you do, you might want to remove Signature 1416 in Snort
snmp.rules:
alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap";
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1416; rev:9;)


>  
> The first is coming from the outside world, the second is coming from
> a network printer.  Are these anything to be really worried about?

Well depending on the value you used for oversize_dir_length and your
webserver it might be normal or unusual. 

Cheers,

Ralf
-- 
Ralf Spenneberg
OpenSource Training                     http://www.opensource-training.de
Webereistr. 1                           48565 Steinfurt           Germany




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users