Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Signature Lookup Confusion

From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 7 May 2013 17:32:12 +0000
Opps.. early <enter>..

To find out more about that preprocessor, check the source code, under
docs.. you'll see README.http_inspect.  Search for Chunk and you get

* chunk_length [non-zero positive integer] *
This option is an anomaly detector for abnormally large chunk sizes.  This picks
up the apache chunk encoding exploits, and may also alert on HTTP tunneling that
uses chunk encoding.

Anyways.. the readme explains what the config options are for and how
you might be able to tweak it better.

On Tue, May 7, 2013 at 5:29 PM, Jeremy Hoel <jthoel () gmail com> wrote:

This is GID 120, SID 8.

So it's not a rule as in snort.rules  This gets fired from
preprocessor http_inspect

On Tue, May 7, 2013 at 5:24 PM, Josh Bitto <jbitto () onlineschool ca> wrote:

I'm having a bit of a problem fully grasping how to search up rules that have been fired.....

2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE 
[Classification: Unknown Traffic] [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80


Ok so what I understand from the log is that rule 120 fired. Either I need some caffeine or it's a horrible Tuesday 
for me to comprehend this, but I'm just not getting it. The instructions on how to search for the group id and the 
sid for some reason are not sticking. Can someone dumb this down for me....I'm gonna run out and get a pop and 
hopefully come back to someone who has awesomely helped me out.


Basically I want to be able to search for explanations on whatever event happens so I can determine if I need to 
take action or not.



Josh

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: