Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 28 Jul 2014 23:04:44 -0400
On 7/28/2014 11:23 AM, Rowell Dionicio wrote:

I’m getting a lot of false positives on: http_inspect: OVERSIZE REQUEST-URI
DIRECTORY

I know it’s a preprocessor analyzing http traffic where the directory string is
longer than the max configured but almost all that I have seen are legitimate
web traffic.


this is where tuning comes into play... you have to tune snort for your 
network's traffic... it seems to me that URI lengths have gotten quite long in 
recent years with all the ads and other shite flowing around the net... i set my 
URL lengths to at least 750 characters several years back... i may have also 
suppressed this alert for external sites and kept it active for my hosted servers...


Does this mean most of the web traffic is just pushing lots of characters into
the directory string


yes...


making this inspection mostly useless?


the default? yes... but this is why tuning snort (or any other IDS/IPS) is 
mandatory... there is no such thing as a one-size-fits-all installation with 
these things ;)


It seems that creating an alert that looks for something, a vulnerability,
within the content using pcre would make more sense.


that's another aspect and what rules developers do... however, being able to 
detect basic problems like this can also lead one to locating infestations...


Do most of you suppress these alerts or increase the directory length?


increase the setting so that it fits your hosted servers... if you have no 
hosted servers, then yes, you might want to suppress the alert...

HTH ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: