09-12-2016 04:56 PM - edited 02-21-2020 05:54 AM
Hello,
Good Day! Just wanted to ask if you encountered this issue HI_CLIENT_OVERSIZE_DIR on the FireSIGHT Management Center Intrusion Events? If yes,
what are the best recommendation to handle this?
Thank You.
vrian
09-26-2016 05:52 AM
Hi vrian_colaba,
================================
(119:15) HI_CLIENT_OVERSIZE_DIR
================================
This event is generated when the http_inspect pre-processor detects a request for a URL
that is longer than a specified length. There are certainly GET's with "long" requests;
the length of a few are '1296'. You can get the http preproc config file to see what the
"Oversize Dir Leght" value is. If after monitoring this alert you see no real
problem, you could potentially increase the 'Oversize Dir Length'
You can enable the rule suppression for these rule following this steps:
1. Navigate to Policy > Intrusion Policy > (Select the pencil/edit icon next to your IPS policy)
2. In the left hand menu, expand "Policy Layers" then "My Changes"
3. In the left hand menue, select "Rules" under "My Changes"
4. Within the rules search, filter for the rule. For example: "gid:119 sid:15" will match HI_CLIENT_OVERSIZE_DIR
5. Select the checkbox next to the rule
6. Click the "Event Filtering" menu and select "Suppression"
7. Save and apply your IPS polic
This isn't always necessarily an attack, but just a symptom of odd HTTP traffic. It may be that you are hosting or
have an HTTP application which your clients regularly use with long HTTP URLs.
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Events.html#pgfId-4155029
Hope this info helps!!
Rate if helps you!!
-JP-
11-04-2016 07:41 AM
What we did is we disabled the specific rule. Since this rule is disabled by default. It only enabled when you use the Firepower recommendations. Since after checking all the traffic seems to be legitimate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide