<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic What we did is we disabled in Network Security</title>
    <link>https://community.cisco.com/t5/network-security/hi-client-oversize-dir/m-p/2949766#M910355</link>
    <description>&lt;P&gt;What we did is we disabled the specific rule. Since this rule is disabled by default. It only enabled when you use the Firepower recommendations. Since after checking all the traffic seems to be legitimate.&lt;/P&gt;</description>
    <pubDate>Fri, 04 Nov 2016 14:41:31 GMT</pubDate>
    <dc:creator>vrian_colaba</dc:creator>
    <dc:date>2016-11-04T14:41:31Z</dc:date>
    <item>
      <title>HI_CLIENT_OVERSIZE_DIR</title>
      <link>https://community.cisco.com/t5/network-security/hi-client-oversize-dir/m-p/2949764#M910353</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;
&lt;P&gt;&lt;/P&gt;
&lt;P&gt;Good Day! Just wanted to ask if you encountered this issue&amp;nbsp;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;HI_CLIENT_OVERSIZE_DIR on the FireSIGHT Management Center Intrusion Events? If yes,&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;what are the best recommendation to handle this?&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;Thank You.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;vrian&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 21 Feb 2020 13:54:58 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/hi-client-oversize-dir/m-p/2949764#M910353</guid>
      <dc:creator>vrian_colaba</dc:creator>
      <dc:date>2020-02-21T13:54:58Z</dc:date>
    </item>
    <item>
      <title>Hi vrian_colaba,</title>
      <link>https://community.cisco.com/t5/network-security/hi-client-oversize-dir/m-p/2949765#M910354</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;A href="https://supportforums.cisco.com/users/vriancolaba" title="View user profile." class="username" lang="" about="/users/vriancolaba" typeof="sioc:UserAccount" property="foaf:name" datatype=""&gt;vrian_colaba&lt;/A&gt;,&lt;/P&gt;
&lt;P&gt;&lt;/P&gt;
&lt;P&gt;================================&lt;BR /&gt;(119:15) HI_CLIENT_OVERSIZE_DIR&lt;BR /&gt;================================&lt;/P&gt;
&lt;P&gt;This event is generated when the http_inspect pre-processor detects a request for a URL&lt;BR /&gt;that is longer than a specified length. There are certainly GET's with "long" requests;&lt;BR /&gt;the length of a few are '1296'. You can get the http preproc config file to see what the &lt;BR /&gt;"Oversize Dir Leght" value is. If after monitoring this alert you see no real&lt;BR /&gt;problem, you could potentially increase the 'Oversize Dir Length'&lt;/P&gt;
&lt;P&gt;You can enable the rule suppression for these rule following this steps:&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;1. Navigate to Policy &amp;gt; Intrusion Policy &amp;gt; (Select the pencil/edit icon next to your IPS policy)&lt;/P&gt;
&lt;P&gt;2. In the left hand menu, expand "Policy Layers" then "My Changes"&lt;/P&gt;
&lt;P&gt;3. In the left hand menue, select "Rules" under "My Changes"&lt;/P&gt;
&lt;P&gt;4. Within the rules search, filter for the rule. For example: "gid:119 sid:15" will match HI_CLIENT_OVERSIZE_DIR&lt;/P&gt;
&lt;P&gt;5. Select the checkbox next to the rule&lt;/P&gt;
&lt;P&gt;6. Click the "Event Filtering" menu and select "Suppression"&lt;/P&gt;
&lt;P&gt;7. Save and apply your IPS polic&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;This isn't always necessarily an attack, but just a symptom of odd HTTP traffic. It may be that you are hosting or&lt;BR /&gt;have an HTTP application which your clients regularly use with long HTTP URLs.&lt;/P&gt;
&lt;P&gt;http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Events.html#pgfId-4155029&lt;/P&gt;
&lt;P&gt;&lt;/P&gt;
&lt;P&gt;Hope this info helps!!&lt;/P&gt;
&lt;P&gt;&lt;/P&gt;
&lt;P&gt;Rate if helps you!!&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;/P&gt;
&lt;P&gt;-JP-&lt;/P&gt;</description>
      <pubDate>Mon, 26 Sep 2016 12:52:20 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/hi-client-oversize-dir/m-p/2949765#M910354</guid>
      <dc:creator>JP Miranda Z</dc:creator>
      <dc:date>2016-09-26T12:52:20Z</dc:date>
    </item>
    <item>
      <title>What we did is we disabled</title>
      <link>https://community.cisco.com/t5/network-security/hi-client-oversize-dir/m-p/2949766#M910355</link>
      <description>&lt;P&gt;What we did is we disabled the specific rule. Since this rule is disabled by default. It only enabled when you use the Firepower recommendations. Since after checking all the traffic seems to be legitimate.&lt;/P&gt;</description>
      <pubDate>Fri, 04 Nov 2016 14:41:31 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/hi-client-oversize-dir/m-p/2949766#M910355</guid>
      <dc:creator>vrian_colaba</dc:creator>
      <dc:date>2016-11-04T14:41:31Z</dc:date>
    </item>
  </channel>
</rss>

