[Snort-users] Logging URI too long

Nelo Belda nbelda at ...11827...
Thu May 31 12:08:25 EDT 2012


I apologize for confusion. My question is not about URI truncation but is
about logging URI request on alerts triggered by server responses. Why are
URIs logged when error 500 occurs and not when is 414?

Today, I've detected an alert with full URI that was triggered by error 414
so I think URIs were not logged due to memory insufficiency or any other
reason. Maybe I is due to a low memcap. And yes, URI was 2048 chars length.

Thank you

PS: "Un saludo" means "Regards" in spanish. It isn't my name ;)

2012/5/31 Bhagya Bantwal <bbantwal at ...1935...>

> Hello Un saludo,
>
> The URI is truncated before logging to u2. There is no alert when URI
> is too long. The alert 119:25 is for long hostname.
>
> If you have an URI that is not being logged, you can send us the pcap for
> it.
>
> Thanks!
>
> -B
>
> On Tue, May 22, 2012 at 7:55 AM, Nelo Belda <nbelda at ...11827...> wrote:
> > Hi all,
> >
> > I realized a behaviour in Snort that I want to share with all of you.
> Snort
> > is now logging URI and Hostname as Extra Data but, what if URI is too
> long?
> > I've seen alerts related with error 500 that uri is present but when
> alert
> > is 414 (URI too long) there's no extra data.
> >
> > I've made a patch in BASE to show Extra Data Info and tried with
> u2spewfoo
> > as well but it seems that in this case it's not logged. That post says:
> >
> > "When a HTTP Request URI is greater than 2048 or when a HTTP hostname
> > (specified in the "Host" Request header) is greater than 256, Snort will
> log
> > the truncated the URI and/or hostname. A preprocessor alert with GID:119
> and
> > SID:25 is generated when hostname exceeds 256 bytes."
> >
> > Where is truncated? How can I get Extra Data of a "URI Too Long" alert?
> Is
> > it logged in that case?
> >
> > Best regards
> > Un saludo
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>

Traduce<http://www.wordreference.com/es/translation.asp?tranword=Why%20are%20URIs%20logged%20when%20error%20500%20occurs%20and%20not%20when%20#article>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120531/19014540/attachment.html>


More information about the Snort-users mailing list