1 Reply Latest reply on Aug 11, 2010 11:53 PM by rcamm

    Snort (http_inspect) Oversize request-uri directory {TCP}

      Recently we started to get these warnings which seem to happen when our 2nd office tried to access a web application at our main office.

      They can reach all of our other websites hosted at the main office but just this web app suddenly stops working for them.

       

      Anyone know what this warning is and or why it would affect only one web application (.Net). When I try and access it from my home it comes up fine so only seems to affect our second office in NZ.

       

      I can see in the snort.conf snort-inline.conf settings there is a preprocessor which has a oversize_dir_length 500 but not sure if making this bigger will help or if its even a good idea.

        • 1. Re: Snort (http_inspect) Oversize request-uri directory {TCP}

          the snort rules are very old and it is no suprise that this is flagged as modern web queries become longer/oversized that when the rules were originally created.

           

          It should not block unless you are using the snort IIPS feature.

           

          Do you get the issue if you use the more modern Endeavour ruleset only ?

           

          Google seems to show a number of  hits on this string if you want more info.