How to suppress INVALID CONTENT-LENGTH OR CHUNK SIZE



  • I am constantly getting these in Snort Alerts.  Is it ok to suppress these for my ISP's address?  What is the code to supress this kind of http_inspect?

    WAN Jul 09 06:45:39 my.isp.my.isp:8644    (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
                                          62.119.66.46:80

    I think that it should be something like:
    suppress gen_id 120, sig_id 2, track by_src, ip my.isp.my.isp

    Thanks



  • Finally figured this out: Service / Snort / Alerts / click + next to rule to suppress.



  • @battles:

    Finally figured this out: Service / Snort / Alerts / click + next to rule to suppress.

    Yuo got it.  You can also just completely disable that rule.  I think a lot of folks disable quite a number of the HTTP_INSEPCT preprocessor rules as they tend to alert on just about every tiny infraction of RFC specs.  To disable a rule on the ALERTS tab, click the red X icon located beside the GID:SID.

    Bill



  • Thanks.  I was trying to individually suppress a rule for my isp address in Services / Snort / Alerts, and upon clicking the + button, I got this error:

    The following input errors were detected:
    Suppress List 'wansuppress_57828044c1f52' is defined for this interface, but it could not be found!

    Wonder what this is about?



  • @battles:

    Thanks.  I was trying to individually suppress a rule for my isp address in Services / Snort / Alerts, and upon clicking the + button, I got this error:

    The following input errors were detected:
    Suppress List 'wansuppress_57828044c1f52' is defined for this interface, but it could not be found!

    Wonder what this is about?

    Maybe a previously created/assigned suppress list that was later deleted.  Go to the INTERFACE SETTINGS tab for the Snort interface and set the SUPPRESS LIST to "default" and save the change.  Now go back to the ALERTS tab and try the suppress action again.  When you click the suppress icon on the ALERTS tab, it will auto-create a Suppress List file for the interface and assign it if one does not already exist.  If one is defined in the config.xml, then it will use that one instead.  In your case, one was defined in the config.xml for the interface but the actual content was not in the config.xml file.  This usually means the old list was deleted.

    Bill