Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Undestanding "OVERSIZE CHUNK ENCODING" alerts

From: Julio Cesar Gazquez <jgazque0 () rosario gov ar>
Date: Mon, 18 Feb 2008 08:40:19 -0300
Hello list.

I'm trying to reduce my false positives, I already silenced a few, however I'm 
trying to understand why an alert is triggered, and not just shut them up 
blindly, (e.g. I think is ok if that robots.txt is accesed from address 
blocks owned by well known search engines).

Now I'm facing http preprocessor's "OVERSIZE CHUNK ENCODING" alerts. While I'm 
not sure, I guess that requests including large hex values could trigger 
this, even if there is no chunk encoding at all. So requests to our website 
including session IDs in the GET request will produce a lot of false 
positives in our IDS. I am right, or I should look somewhere else?

Thanks in advance.

-- 
Julio César Gázquez
Seguridad Informática -- Int. 736
Municipalidad de Rosario

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: