[Snort-users] Learning more about alerts
wkitty42 at ...14940...
Wed Jul 23 18:15:37 EDT 2014
On 7/23/2014 12:21 PM, Rowell Dionicio wrote:
> I’m new to Snort and just started tuning it. I’m getting a lot of:
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> I don’t want to rule anything out without inspecting it and knowing what it
> really means. What resource can I use to look into these various alerts?
one thing to do would be to look at the pcap that snort captured of the traffic
and see exactly what that traffic is from... i see a lot of it myself and it
seems to be where 3rd party traffic is pulled for ads and similar...
you can use tcmdump or wireshark to look at the pcap files... you might need to
look at more than just what snort has captured to get a clear picture, though...
that could entail enlisting a full packet capture tool to capture all the
traffic all the time... but then again, one could craft a tcpdump or wireshark
capture for the specific traffic and grab the flow that way...
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users