How serious should I take "invalid chunk size" and "double decoding attack" alerts?



  • I'm in the monitoring phase of a new Snort deployment, evaluating the alerts before I turn on blocking. I'm seeing a lot of the following:

    GID:SID
    120:28
    (http_inspect) Invalid Chunk size or chunk size followed by junk characters
    Usually going to an Amazon AWS address, but also to a domain I’ve never heard of, possibly advertising?

    119:2
    (http_inspect) Double decoding attack
    Going to an Amazon AWS address.

    Also, I have been suppressing any alert dealing with AWS, Akamai, and Cloudfront. How do you all evaluate CDN or AWS traffic? Thanks for your input.



  • Not very seriously, to be honest. Those alerts are coming from the HTTP_INSPECT preprocessor rules within Snort. Those rules can be easily fooled these days by the normal things web sites do. First, the rules are HTTP but almost all traffic is now HTTPS. Second, the rules are looking for strict adherence to RFC recommendations. But in order to serve up ads and (to the extent they can) foil ad-blockers, web sites do a lot of non-standard stuff in their JavaScript code. This non-standard stuff is not always malicious, but the HTTP_INSPECT preprocessor rules may trigger on it as such.

    So disable those rules by clicking the red X. They are most likely getting tripped up trying to examine HTTPS-encrypted stuff. You are seeing the result of the web moving to SSL traffic. IDS/IPS is losing its effectiveness because it can't see inside the encrypted payloads.



  • Awesome, very helpful, thanks!


Log in to reply