HI_CLIENT_OVERSIZE_DIR

vrian_colaba · ‎09-12-2016

Hello,

Good Day! Just wanted to ask if you encountered this issue HI_CLIENT_OVERSIZE_DIR on the FireSIGHT Management Center Intrusion Events? If yes,

what are the best recommendation to handle this?

Thank You.

vrian

JP Miranda Z · ‎09-26-2016

Hi vrian_colaba,

================================
(119:15) HI_CLIENT_OVERSIZE_DIR
================================

This event is generated when the http_inspect pre-processor detects a request for a URL
that is longer than a specified length. There are certainly GET's with "long" requests;
the length of a few are '1296'. You can get the http preproc config file to see what the
"Oversize Dir Leght" value is. If after monitoring this alert you see no real
problem, you could potentially increase the 'Oversize Dir Length'

You can enable the rule suppression for these rule following this steps:

1. Navigate to Policy > Intrusion Policy > (Select the pencil/edit icon next to your IPS policy)

2. In the left hand menu, expand "Policy Layers" then "My Changes"

3. In the left hand menue, select "Rules" under "My Changes"

4. Within the rules search, filter for the rule. For example: "gid:119 sid:15" will match HI_CLIENT_OVERSIZE_DIR

5. Select the checkbox next to the rule

6. Click the "Event Filtering" menu and select "Suppression"

7. Save and apply your IPS polic

This isn't always necessarily an attack, but just a symptom of odd HTTP traffic. It may be that you are hosting or
have an HTTP application which your clients regularly use with long HTTP URLs.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Events.html#pgfId-4155029

Hope this info helps!!

Rate if helps you!!

-JP-

vrian_colaba · ‎11-04-2016

What we did is we disabled the specific rule. Since this rule is disabled by default. It only enabled when you use the Firepower recommendations. Since after checking all the traffic seems to be legitimate.