[Snort-users] help with file bpf and ip 0.0.0.0

Joel Esler (jesler) jesler at ...589...
Wed Jan 20 16:52:14 EST 2016


On Jan 20, 2016, at 1:10 PM, hernani coelho <hernani_coelho at ...4664...<mailto:hernani_coelho at ...4664...>> wrote:



On 20-01-2016 17:55, wkitty42 at ...14940...<mailto:wkitty42 at ...14940...> wrote:
On 01/20/2016 12:03 PM, hernani coelho wrote:
now i see if i search an web page snort give me alerts like this -->

#0-(1-7731)
<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=>
[snort <http://www.snort.org/search/sid/119-15>] http_inspect: OVERSIZE
REQUEST-URI DIRECTORY 2016-01-20 16:59:34 192.168.1.66
<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:57514
95.172.94.15
<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80
TCP


is safe to ignore port 80??
IMHO, absolutely not...

if you are getting oversize reports like that, you can increase the size of your
oversize_dir_length setting in the http_inspect preprocessor section of your
snort.conf file... we use 750 here but you may need a larger or smaller value
depending on the traffic on your network...

thanks
i have removed 0.0.0.0 from home net
now how can i stop alerts from ip dst 0.0.0.0



How is traffic from 0.0.0.0 transversing the network?

That’s what I want to know.

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160120/37f53808/attachment.html>


More information about the Snort-users mailing list