Re: Signature Lookup Confusion

[beenph <beenph () gmail com>]

[gid:sid:revision]

binf@SINGULAR:~/$ grep "^120" gen-msg.map
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN
HTTP RESPONSE
120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED
TO NORMALIZE
120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET
120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA

On Tue, May 7, 2013 at 1:24 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
> I'm having a bit of a problem fully grasping how to search up rules that have been fired.....
>
> 2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE 
> [Classification: Unknown Traffic] [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80
>
>
> Ok so what I understand from the log is that rule 120 fired. Either I need some caffeine or it's a horrible Tuesday 
> for me to comprehend this, but I'm just not getting it. The instructions on how to search for the group id and the 
> sid for some reason are not sticking. Can someone dumb this down for me....I'm gonna run out and get a pop and 
> hopefully come back to someone who has awesomely helped me out.
>
>
> Basically I want to be able to search for explanations on whatever event happens so I can determine if I need to take 
> action or not.
>
>
>
> Josh
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!