Snort mailing list archives
Undestanding "OVERSIZE CHUNK ENCODING" alerts
From: Julio Cesar Gazquez <jgazque0 () rosario gov ar>
Date: Mon, 18 Feb 2008 08:40:19 -0300
Hello list. I'm trying to reduce my false positives, I already silenced a few, however I'm trying to understand why an alert is triggered, and not just shut them up blindly, (e.g. I think is ok if that robots.txt is accesed from address blocks owned by well known search engines). Now I'm facing http preprocessor's "OVERSIZE CHUNK ENCODING" alerts. While I'm not sure, I guess that requests including large hex values could trigger this, even if there is no chunk encoding at all. So requests to our website including session IDs in the GET request will produce a lot of false positives in our IDS. I am right, or I should look somewhere else? Thanks in advance. -- Julio César Gázquez Seguridad Informática -- Int. 736 Municipalidad de Rosario ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Undestanding "OVERSIZE CHUNK ENCODING" alerts Julio Cesar Gazquez (Feb 18)
- Re: Undestanding "OVERSIZE CHUNK ENCODING" alerts Joel Esler (Feb 18)