Snort mailing list archives

Re: Learning more about alerts

From: Rowell Dionicio <RDionicio () infracore net>
Date: Thu, 24 Jul 2014 13:35:29 +0000

Thanks Tom. That was a great explanation. When it comes to rules, rule management, and what the rules mean, where could 
I get that information?

-Rowell

From: Tom Peters (thopeter) [mailto:thopeter () cisco com]
Sent: Wednesday, July 23, 2014 11:21 AM
To: Rowell Dionicio; Snort Users List (snort-users () lists sourceforge net)
Subject: Re: [Snort-users] Learning more about alerts

Rowell,

There are two ways HTTP headers can specify the length of the message body. They can specify the total length using the 
Content-Length header or they can specify "chunked" using the Transfer-Encoding header. Chunks are a sequence of 
individual body pieces each with their own length header. Chunks work well when the server is making up the response as 
it goes along and does not know the length up front.

Normally when an HTTP server sends a response that includes a body you will see one header or the other so the client 
knows what to expect. When neither one is present you get this alert.

Tom

From: Rowell Dionicio <RDionicio () infracore net<mailto:RDionicio () infracore net>>
Date: Wednesday, July 23, 2014 12:21 PM
To: "Snort Users List (snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>)" <snort-users 
() lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Learning more about alerts

Hi,

I'm new to Snort and just started tuning it. I'm getting a lot of:

http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I don't want to rule anything out without inspecting it and knowing what it really means. What resource can I use to 
look into these various alerts?

Thank you,

Rowell

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Learning more about alerts Rowell Dionicio (Jul 23)
- Re: Learning more about alerts waldo kitty (Jul 23)
- <Possible follow-ups>
- Re: Learning more about alerts Tom Peters (thopeter) (Jul 23)
  - Re: Learning more about alerts Rowell Dionicio (Jul 24)