I am getting tons of these:
2008:06:13-23:40:18 (none) barnyard[29354]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="172.16.3.100" dstip="130.227.119.20" proto="6" srcport="38310" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
The destination IP is a legitimate dating site, which pulls in a lot of ads from doubleclick.net. These URL's are *very* long - could it be those that trigger the alert ?
How do I disable this signature - I can modfiy a rule, disabling it, but what is the rule ID for this rule ?
2101 is used for other signatures as well.
119 (generator) appear unique for this message, but disabling 119 does not stop the messages.
Regards
Michael
This thread was automatically locked due to age.
