Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 2959 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OVERSIZE REQUEST-URI DIRECTORY in ips.log

BarryG
Just upgraded from 5.2 to 6.104 (clean install, re-configured from scratch)

 Code:
  2006:02:27-14:39:28 (none) snort[4028]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY  {PROTO006} 64.162.232.173:1809 -> xx.xx.xx.xx:80
 
(where xx.xx.xx.xx is our firewalled web server)

This keeps showing up in our IPS log... from what I can find on Google, Snort's default for this is 500, which is probably too short.
I don't see any way to override this, or disable it (it's not in the rules), and I don't see it in snort.conf-default.

I'm worried as this is probably denying legitimate traffic to our site.

Thanks,
Barry


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BarryG
    You could probably call support, and I'm sure they'll point you to which file to edit in SSH to fix this.. also, I have a couple of .NET based sites running behind 6.104, and have had no issues.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Yep, I'm waiting for a response from support.

    Have you looked at your IPS.log to be sure?

    My understanding is that this only would affect sites which have web forms created in visual studio .net.

    Thanks,
    Barry
Cookie Information Banner