[Snort-users] Logging URI too long
nbelda at ...11827...
Tue May 22 07:55:27 EDT 2012
I realized a behaviour in Snort that I want to share with all of you. Snort
is now logging URI and Hostname as Extra Data but, what if URI is too long?
I've seen alerts related with error 500 that uri is present but when alert
is 414 (URI too long) there's no extra data.
I've made a patch in BASE to show Extra Data Info and tried with u2spewfoo
as well but it seems that in this case it's not logged. That
"When a HTTP Request URI is greater than 2048 or when a HTTP hostname
(specified in the "Host" Request header) is greater than 256, Snort will
log the truncated the URI and/or hostname. A preprocessor alert with
GID:119 and SID:25 is generated when hostname exceeds 256 bytes."
Where is truncated? How can I get Extra Data of a "URI Too Long" alert? Is
it logged in that case?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users