[Snort-users] help with file bpf and ip 0.0.0.0

hernani coelho hernani_coelho at ...4664...
Wed Jan 20 13:10:51 EST 2016



On 20-01-2016 17:55, wkitty42 at ...14940... wrote:
> On 01/20/2016 12:03 PM, hernani coelho wrote:
>> now i see if i search an web page snort give me alerts like this -->
>>
>> 	#0-(1-7731)
>> <http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=>
>> 	[snort <http://www.snort.org/search/sid/119-15>] http_inspect: OVERSIZE
>> REQUEST-URI DIRECTORY 	2016-01-20 16:59:34 	192.168.1.66
>> <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:57514
>> 	95.172.94.15
>> <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80
>> 	TCP
>>
>>
>> is safe to ignore port 80??
> IMHO, absolutely not...
>
> if you are getting oversize reports like that, you can increase the size of your
> oversize_dir_length setting in the http_inspect preprocessor section of your
> snort.conf file... we use 750 here but you may need a larger or smaller value
> depending on the traffic on your network...
>
thanks
i have removed 0.0.0.0 from home net
now how can i stop alerts from ip dst 0.0.0.0




More information about the Snort-users mailing list