Snort mailing list archives
Re: Learning more about alerts
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 23 Jul 2014 18:15:37 -0400
On 7/23/2014 12:21 PM, Rowell Dionicio wrote:
Hi, I’m new to Snort and just started tuning it. I’m getting a lot of: http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE I don’t want to rule anything out without inspecting it and knowing what it really means. What resource can I use to look into these various alerts?
one thing to do would be to look at the pcap that snort captured of the traffic and see exactly what that traffic is from... i see a lot of it myself and it seems to be where 3rd party traffic is pulled for ads and similar... you can use tcmdump or wireshark to look at the pcap files... you might need to look at more than just what snort has captured to get a clear picture, though... that could entail enlisting a full packet capture tool to capture all the traffic all the time... but then again, one could craft a tcpdump or wireshark capture for the specific traffic and grab the flow that way... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Learning more about alerts Rowell Dionicio (Jul 23)
- Re: Learning more about alerts waldo kitty (Jul 23)
- <Possible follow-ups>
- Re: Learning more about alerts Tom Peters (thopeter) (Jul 23)
- Re: Learning more about alerts Rowell Dionicio (Jul 24)