Network Security: Detailed info on RE: [Snort-users] Undocumented SIDs

Subject:	RE: [Snort-users] Undocumented SIDs
Date:	Thu, 21 Jul 2005 14:45:02 -0700

Thanks.  I can't be sure if they're related.  My alarms come from packets
with lines and lines of gibberish, with an occasional /.  I was first
curious because I've got identical gibberish from differant hosts on
differant networks in the last few hours.  If anyone is interested in the
packet payload I can send offlist.

Andrew



-----Original Message-----
From: M. Shirk [mailto:shirkdog_list@hotmail.com]
Sent: Thursday, July 21, 2005 2:21 PM
To: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Undocumented SIDs


Read this, and see if this is the traffic you are seeing

http://isc.sans.org/diary.php?date=2005-06-03

This is what is generating alot of the OVERSIZED REQUEST-URI events for me 
right now.

Shirkdog
http://www.shirkdog.us

From: Matt Kettler <mkettler@evi-inc.com>
To: "Willy, Andrew" <AWilly@eSMIL.net>
CC: "Snort Users (E-mail)" <snort-users@lists.sourceforge.net>
Subject: Re: [Snort-users] Undocumented SIDs
Date: Thu, 21 Jul 2005 16:47:20 -0400

Willy, Andrew wrote:

List,

Do any of you know off-hand a good place to get information on the

alerts

that aren't documented, such as OVERSIZE REQUEST-URI DIRECTORY, etc.  I
Googled away and did not find anything comprehensive.


That particular alert is not a rule, but is generated by the http_inspect
preprocessor. (gen_id 1)

You should look at docs/README.http_inspect.

NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential


Disclaimer: This is a public list, therefore I in good faith assume all
information in emails posted here is not confidential, regardless of what
attached disclaimers imply may be true. I have no reasonable qualifications

to
distinguish confidential from non confidential information, unless clearly
marked by the sender. Any inadvertent disclosures which are not clearly 
marked
as being confidential are strictly the liability of the sender.

(couldn't resist)


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed only
by the individual or organization named as addressee. If you have received
this email in error please notify Scottsdale Medical Imaging, an affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to the
sender or to support@esmil.com - and destroy all copies of this message and
any attachments. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent those
of Scottsdale Medical Imaging. Confidential health information is protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] Undocumented SIDs, Willy, Andrew Re: [Snort-users] Undocumented SIDs, Matt Kettler Re: [Snort-users] Undocumented SIDs, M. Shirk RE: [Snort-users] Undocumented SIDs, Willy, Andrew RE: [Snort-users] Undocumented SIDs, Willy, Andrew Re: [Snort-users] Undocumented SIDs, Matt Kettler RE: [Snort-users] Undocumented SIDs, Willy, Andrew <=

Previous by Date:	Re: [Snort-users] Undocumented SIDs, M. Shirk
Next by Date:	[Snort-users] Re: Undocumented SIDs, Nigel Houghton
Previous by Thread:	Re: [Snort-users] Undocumented SIDs, Matt Kettler
Next by Thread:	[Snort-users] P2P traffic?, gary douglas
Indexes:	[Date] [Thread] [Top] [All Lists]