[Snort-users] what triggers these?

Ralf Spenneberg lists at ...9778...
Wed Oct 12 06:08:30 EDT 2005


Hi Jason,

Am Dienstag, den 11.10.2005, 09:26 -0400 schrieb Kretzer, Jason R (Big
Sandy):
> [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
This is caused by the http_inspect preprocessor. This preprocessor
analyzes at least part of your HTTP traffic. It found a uri in an http
request where the directory string was longer than the maximum
configured:
http_inspect: oversize_dir_length


> [**] [1:1416:9] SNMP broadcast trap [**]
Your printer is configured to send out SNMP Broadcast Traps. If you do
not use any software that listens to SNMP Traps I would advise disabling
it. If you do, you might want to remove Signature 1416 in Snort
snmp.rules:
alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap";
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1416; rev:9;)


>  
> The first is coming from the outside world, the second is coming from
> a network printer.  Are these anything to be really worried about?

Well depending on the value you used for oversize_dir_length and your
webserver it might be normal or unusual. 

Cheers,

Ralf
-- 
Ralf Spenneberg
OpenSource Training                     http://www.opensource-training.de
Webereistr. 1                           48565 Steinfurt           Germany






More information about the Snort-users mailing list