How serious should I take "invalid chunk size" and "double decoding attack" alerts?
I'm in the monitoring phase of a new Snort deployment, evaluating the alerts before I turn on blocking. I'm seeing a lot of the following:
(http_inspect) Invalid Chunk size or chunk size followed by junk characters
Usually going to an Amazon AWS address, but also to a domain I’ve never heard of, possibly advertising?
(http_inspect) Double decoding attack
Going to an Amazon AWS address.
Also, I have been suppressing any alert dealing with AWS, Akamai, and Cloudfront. How do you all evaluate CDN or AWS traffic? Thanks for your input.
bmeeks last edited by bmeeks
So disable those rules by clicking the red X. They are most likely getting tripped up trying to examine HTTPS-encrypted stuff. You are seeing the result of the web moving to SSL traffic. IDS/IPS is losing its effectiveness because it can't see inside the encrypted payloads.
Awesome, very helpful, thanks!