[Snort-users] what triggers these?

Kretzer, Jason R (Big Sandy) jason.kretzer at ...13486...
Wed Oct 12 07:52:18 EDT 2005


> > [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
> This is caused by the http_inspect preprocessor. This preprocessor
> analyzes at least part of your HTTP traffic. It found a uri in an http
> request where the directory string was longer than the maximum
> configured:
> http_inspect: oversize_dir_length


What is odd is that all I am getting in my apache access.log is

218.111.85.66 - - [09/Oct/2005:09:10:46 -0400] "GET / HTTP/1.0" 302 382
"-" "-"
218.111.85.66 - - [09/Oct/2005:09:10:56 -0400] "GET / HTTP/1.0" 302 382
"-" "-"
67.140.25.161 - - [11/Oct/2005:06:53:38 -0400] "GET / HTTP/1.0" 302 386
"-" "-"
67.140.25.161 - - [11/Oct/2005:07:08:47 -0400] "GET / HTTP/1.0" 302 386
"-" "-"
67.140.25.161 - - [11/Oct/2005:07:17:16 -0400] "GET / HTTP/1.0" 302 386
"-" "-"
67.140.25.161 - - [11/Oct/2005:08:08:20 -0400] "GET / HTTP/1.0" 302 386
"-" "-"


Is this an attack of some sort?  I am getting code 302 which is 
302 - Found
The requested resource has been found under a different URI but the
client should continue to use the original URI. 

Should that not be 414?


If it helps, here is the full text of one of the alerts

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
10/11-06:53:38.450993 67.140.25.161:2729 -> this.is.my.ip:80
TCP TTL:115 TOS:0x0 ID:32819 IpLen:20 DgmLen:1420 DF
***A**** Seq: 0x4F16C405  Ack: 0xD13253C  Win: 0xFAF0  TcpLen: 20

-Jason




> -----Original Message-----
> From: Ralf Spenneberg [mailto:lists at ...9778...] 
> Sent: Wednesday, October 12, 2005 9:08 AM
> To: Kretzer, Jason R (Big Sandy)
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] what triggers these?
> 
> Hi Jason,
> 
> Am Dienstag, den 11.10.2005, 09:26 -0400 schrieb Kretzer, Jason R (Big
> Sandy):
> > [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
> This is caused by the http_inspect preprocessor. This preprocessor
> analyzes at least part of your HTTP traffic. It found a uri in an http
> request where the directory string was longer than the maximum
> configured:
> http_inspect: oversize_dir_length
> 
> 
> > [**] [1:1416:9] SNMP broadcast trap [**]
> Your printer is configured to send out SNMP Broadcast Traps. If you do
> not use any software that listens to SNMP Traps I would 
> advise disabling
> it. If you do, you might want to remove Signature 1416 in Snort
> snmp.rules:
> alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap";
> reference:bugtraq,4088; reference:bugtraq,4089; 
> reference:bugtraq,4132;
> reference:cve,2002-0012; reference:cve,2002-0013;
> classtype:attempted-recon; sid:1416; rev:9;)
> 
> 
> >  
> > The first is coming from the outside world, the second is 
> coming from
> > a network printer.  Are these anything to be really worried about?
> 
> Well depending on the value you used for oversize_dir_length and your
> webserver it might be normal or unusual. 
> 
> Cheers,
> 
> Ralf
> -- 
> Ralf Spenneberg
> OpenSource Training                     
> http://www.opensource-training.de
> Webereistr. 1                           48565 Steinfurt       
>     Germany
> 
> 
> 




More information about the Snort-users mailing list