So I have been getting a ton of snort alerts lately and I am not sure what to make of them. They appear to be DNS redirect and the one IP traces back to Comcast MN servers. The other IP's they are attached to typically come back as not be resolvable. Anything i need to worry about or some sort of false flag? I am on Comcast internet BTW.
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
SID 120:3
CLASS Unknown Traffic
Ports are varied as well as the source IP. Turns out the Comcast IP is my new external IP, just had not realized it changed recently. These are all from the WAN port. Most are inbound, but a few have been outbound.
On the WAN side you will see quite a bit of junk, at a stab without seeing more I think the first one will be for streaming things as they will be http/s but wont show as such and snort will miss see them, or some form of chuncked HTTP download, the second one is just bugs in the rules, itll be your browser doing TLS 'stuff' with facebook which snort doesnt understand (or the browser isnt follwong the standard 100%), could be client side cert verification
Very useful links. Thanks for that. The first on especially! REP+
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Related Threads
?
?
?
?
?
Ask a question
Ask a question
Overclock.net
27.8M posts
541.2K members
Since 2004
A forum community dedicated to overclocking enthusiasts and testing the limits of computing. Come join the discussion about computing, builds, collections, displays, models, styles, scales, specifications, reviews, accessories, classifieds, and more!