[Snort-users] what triggers these?

Kretzer, Jason R (Big Sandy) jason.kretzer at ...13486...
Wed Oct 12 08:23:18 EDT 2005


Wait a minute, ignore the 302 code stuff below.  This is expected
behavior.

Sorry about that.

-Jason
 

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Kretzer, Jason R (Big Sandy)
> Sent: Wednesday, October 12, 2005 10:54 AM
> To: Ralf Spenneberg
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] what triggers these?
> 
> 
> > > [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
> > This is caused by the http_inspect preprocessor. This preprocessor
> > analyzes at least part of your HTTP traffic. It found a uri 
> in an http
> > request where the directory string was longer than the maximum
> > configured:
> > http_inspect: oversize_dir_length
> 
> 
> What is odd is that all I am getting in my apache access.log is
> 
> 218.111.85.66 - - [09/Oct/2005:09:10:46 -0400] "GET / 
> HTTP/1.0" 302 382
> "-" "-"
> 218.111.85.66 - - [09/Oct/2005:09:10:56 -0400] "GET / 
> HTTP/1.0" 302 382
> "-" "-"
> 67.140.25.161 - - [11/Oct/2005:06:53:38 -0400] "GET / 
> HTTP/1.0" 302 386
> "-" "-"
> 67.140.25.161 - - [11/Oct/2005:07:08:47 -0400] "GET / 
> HTTP/1.0" 302 386
> "-" "-"
> 67.140.25.161 - - [11/Oct/2005:07:17:16 -0400] "GET / 
> HTTP/1.0" 302 386
> "-" "-"
> 67.140.25.161 - - [11/Oct/2005:08:08:20 -0400] "GET / 
> HTTP/1.0" 302 386
> "-" "-"
> 
> 
> Is this an attack of some sort?  I am getting code 302 which is 
> 302 - Found
> The requested resource has been found under a different URI but the
> client should continue to use the original URI. 
> 
> Should that not be 414?
> 
> 
> If it helps, here is the full text of one of the alerts
> 
> [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
> 10/11-06:53:38.450993 67.140.25.161:2729 -> this.is.my.ip:80
> TCP TTL:115 TOS:0x0 ID:32819 IpLen:20 DgmLen:1420 DF
> ***A**** Seq: 0x4F16C405  Ack: 0xD13253C  Win: 0xFAF0  TcpLen: 20
> 
> -Jason
> 
> 
> 
> 
> > -----Original Message-----
> > From: Ralf Spenneberg [mailto:lists at ...9778...] 
> > Sent: Wednesday, October 12, 2005 9:08 AM
> > To: Kretzer, Jason R (Big Sandy)
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] what triggers these?
> > 
> > Hi Jason,
> > 
> > Am Dienstag, den 11.10.2005, 09:26 -0400 schrieb Kretzer, 
> Jason R (Big
> > Sandy):
> > > [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
> > This is caused by the http_inspect preprocessor. This preprocessor
> > analyzes at least part of your HTTP traffic. It found a uri 
> in an http
> > request where the directory string was longer than the maximum
> > configured:
> > http_inspect: oversize_dir_length
> > 
> > 
> > > [**] [1:1416:9] SNMP broadcast trap [**]
> > Your printer is configured to send out SNMP Broadcast 
> Traps. If you do
> > not use any software that listens to SNMP Traps I would 
> > advise disabling
> > it. If you do, you might want to remove Signature 1416 in Snort
> > snmp.rules:
> > alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap";
> > reference:bugtraq,4088; reference:bugtraq,4089; 
> > reference:bugtraq,4132;
> > reference:cve,2002-0012; reference:cve,2002-0013;
> > classtype:attempted-recon; sid:1416; rev:9;)
> > 
> > 
> > >  
> > > The first is coming from the outside world, the second is 
> > coming from
> > > a network printer.  Are these anything to be really worried about?
> > 
> > Well depending on the value you used for 
> oversize_dir_length and your
> > webserver it might be normal or unusual. 
> > 
> > Cheers,
> > 
> > Ralf
> > -- 
> > Ralf Spenneberg
> > OpenSource Training                     
> > http://www.opensource-training.de
> > Webereistr. 1                           48565 Steinfurt       
> >     Germany
> > 
> > 
> > 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, 
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 




More information about the Snort-users mailing list