[Snort-users] Learning more about alerts
Rowell Dionicio
Hi,
I’m new to Snort and just started tuning it. I’m getting a lot of:
http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
I don’t want to rule anything out without inspecting it and knowing what it really means. What resource can I use to look into these various alerts?
Thank you,
Rowell
Tom Peters (thopeter)
waldo kitty
> Hi,
>
> I’m new to Snort and just started tuning it. I’m getting a lot of:
>
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
>
> I don’t want to rule anything out without inspecting it and knowing what it
> really means. What resource can I use to look into these various alerts?
one thing to do would be to look at the pcap that snort captured of the traffic
and see exactly what that traffic is from... i see a lot of it myself and it
seems to be where 3rd party traffic is pulled for ads and similar...
you can use tcmdump or wireshark to look at the pcap files... you might need to
look at more than just what snort has captured to get a clear picture, though...
that could entail enlisting a full packet capture tool to capture all the
traffic all the time... but then again, one could craft a tcpdump or wireshark
capture for the specific traffic and grab the flow that way...
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Rowell Dionicio
From: Tom Peters (thopeter) [mailto:thop...@cisco.com]
Sent: Wednesday, July 23, 2014 11:21 AM
To: Rowell Dionicio; Snort Users List (snort...@lists.sourceforge.net)
Subject: Re: [Snort-users] Learning more about alerts
Rowell,
There are two ways HTTP headers can specify the length of the message body. They can specify the total length using the Content-Length header or they can specify "chunked" using the Transfer-Encoding header. Chunks are a sequence of individual body pieces each with their own length header. Chunks work well when the server is making up the response as it goes along and does not know the length up front.
Normally when an HTTP server sends a response that includes a body you will see one header or the other so the client knows what to expect. When neither one is present you get this alert.
Tom
From: Rowell Dionicio <RDio...@infracore.net>
Date: Wednesday, July 23, 2014 12:21 PM
To: "Snort Users List (snort...@lists.sourceforge.net)" <snort...@lists.sourceforge.net>
Subject: [Snort-users] Learning more about alerts
Hi,
I’m new to Snort and just started tuning it. I’m getting a lot of:
http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
I don’t want to rule anything out without inspecting it and knowing what it really means. What resource can I use to look into these various alerts?
Thank you,
Rowell