[Snort-users] Logging URI too long

Nelo Belda nbelda at ...11827...
Tue May 22 07:55:27 EDT 2012


Hi all,

I realized a behaviour in Snort that I want to share with all of you. Snort
is now logging URI and Hostname as Extra Data but, what if URI is too long?
I've seen alerts related with error 500 that uri is present but when alert
is 414 (URI too long) there's no extra data.

I've made a patch in BASE to show Extra Data Info and tried with u2spewfoo
as well but it seems that in this case it's not logged. That
post<http://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html>says:

"When a HTTP Request URI is greater than 2048 or when a HTTP hostname
(specified in the "Host" Request header) is greater than 256, Snort will
log the truncated the URI and/or hostname. A preprocessor alert with
GID:119 and SID:25 is generated when hostname exceeds 256 bytes."

Where is truncated? How can I get Extra Data of a "URI Too Long" alert? Is
it logged in that case?

Best regards
Un saludo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120522/c72508e0/attachment.html>


More information about the Snort-users mailing list