[Snort-users] Logging URI too long

Bhagya Bantwal bbantwal at ...1935...
Thu May 31 11:17:42 EDT 2012

Hello Un saludo,

The URI is truncated before logging to u2. There is no alert when URI
is too long. The alert 119:25 is for long hostname.

If you have an URI that is not being logged, you can send us the pcap for it.



On Tue, May 22, 2012 at 7:55 AM, Nelo Belda <nbelda at ...11827...> wrote:
> Hi all,
> I realized a behaviour in Snort that I want to share with all of you. Snort
> is now logging URI and Hostname as Extra Data but, what if URI is too long?
> I've seen alerts related with error 500 that uri is present but when alert
> is 414 (URI too long) there's no extra data.
> I've made a patch in BASE to show Extra Data Info and tried with u2spewfoo
> as well but it seems that in this case it's not logged. That post says:
> "When a HTTP Request URI is greater than 2048 or when a HTTP hostname
> (specified in the "Host" Request header) is greater than 256, Snort will log
> the truncated the URI and/or hostname. A preprocessor alert with GID:119 and
> SID:25 is generated when hostname exceeds 256 bytes."
> Where is truncated? How can I get Extra Data of a "URI Too Long" alert? Is
> it logged in that case?
> Best regards
> Un saludo
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

More information about the Snort-users mailing list