Snort mailing list archives
Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 28 Jul 2014 23:04:44 -0400
On 7/28/2014 11:23 AM, Rowell Dionicio wrote:
I’m getting a lot of false positives on: http_inspect: OVERSIZE REQUEST-URI DIRECTORY I know it’s a preprocessor analyzing http traffic where the directory string is longer than the max configured but almost all that I have seen are legitimate web traffic.
this is where tuning comes into play... you have to tune snort for your network's traffic... it seems to me that URI lengths have gotten quite long in recent years with all the ads and other shite flowing around the net... i set my URL lengths to at least 750 characters several years back... i may have also suppressed this alert for external sites and kept it active for my hosted servers...
Does this mean most of the web traffic is just pushing lots of characters into the directory string
yes...
making this inspection mostly useless?
the default? yes... but this is why tuning snort (or any other IDS/IPS) is mandatory... there is no such thing as a one-size-fits-all installation with these things ;)
It seems that creating an alert that looks for something, a vulnerability, within the content using pcre would make more sense.
that's another aspect and what rules developers do... however, being able to detect basic problems like this can also lead one to locating infestations...
Do most of you suppress these alerts or increase the directory length?
increase the setting so that it fits your hosted servers... if you have no hosted servers, then yes, you might want to suppress the alert... HTH ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY Rowell Dionicio (Jul 28)
- Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY waldo kitty (Jul 28)