Re: Learning more about alerts

[waldo kitty <wkitty42 () windstream net>]

On 7/23/2014 12:21 PM, Rowell Dionicio wrote:
> Hi,
>
> I’m new to Snort and just started tuning it. I’m getting a lot of:
>
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
>
> I don’t want to rule anything out without inspecting it and knowing what it
> really means. What resource can I use to look into these various alerts?

one thing to do would be to look at the pcap that snort captured of the traffic 
and see exactly what that traffic is from... i see a lot of it myself and it 
seems to be where 3rd party traffic is pulled for ads and similar...

you can use tcmdump or wireshark to look at the pcap files... you might need to 
look at more than just what snort has captured to get a clear picture, though... 
that could entail enlisting a full packet capture tool to capture all the 
traffic all the time... but then again, one could craft a tcpdump or wireshark 
capture for the specific traffic and grab the flow that way...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!