[Snort-users] Learning more about alerts

waldo kitty wkitty42 at ...14940...
Wed Jul 23 18:15:37 EDT 2014


On 7/23/2014 12:21 PM, Rowell Dionicio wrote:
> Hi,
>
> I’m new to Snort and just started tuning it. I’m getting a lot of:
>
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
>
> I don’t want to rule anything out without inspecting it and knowing what it
> really means. What resource can I use to look into these various alerts?

one thing to do would be to look at the pcap that snort captured of the traffic 
and see exactly what that traffic is from... i see a lot of it myself and it 
seems to be where 3rd party traffic is pulled for ads and similar...

you can use tcmdump or wireshark to look at the pcap files... you might need to 
look at more than just what snort has captured to get a clear picture, though... 
that could entail enlisting a full packet capture tool to capture all the 
traffic all the time... but then again, one could craft a tcpdump or wireshark 
capture for the specific traffic and grab the flow that way...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list