This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OVERSIZE REQUEST-URI DIRECTORY in ips.log

Just upgraded from 5.2 to 6.104 (clean install, re-configured from scratch)

Code:

  2006:02:27-14:39:28 (none) snort[4028]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY  {PROTO006} 64.162.232.173:1809 -> xx.xx.xx.xx:80

(where xx.xx.xx.xx is our firewalled web server)

This keeps showing up in our IPS log... from what I can find on Google, Snort's default for this is 500, which is probably too short.
I don't see any way to override this, or disable it (it's not in the rules), and I don't see it in snort.conf-default.

I'm worried as this is probably denying legitimate traffic to our site.

Thanks,
Barry

This thread was automatically locked due to age.

Parents

0 BarryG over 19 years ago

Since we're using IIS & dot net, it looks like I'll have to turn of the IPS until this is resolved, as it's breaking our site.
[:(]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 19 years ago

Since we're using IIS & dot net, it looks like I'll have to turn of the IPS until this is resolved, as it's breaking our site.
[:(]
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BrucekConvergent over 19 years ago in reply to BarryG

You could probably call support, and I'm sure they'll point you to which file to edit in SSH to fix this.. also, I have a couple of .NET based sites running behind 6.104, and have had no issues.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 19 years ago in reply to BrucekConvergent

Yep, I'm waiting for a response from support.

Have you looked at your IPS.log to be sure?

My understanding is that this only would affect sites which have web forms created in visual studio .net.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel