http_preprocessor question

[KA L <sorandomsec () gmail com>]

We've been getting a high number of http_preprocessor: OVERSIZED CHUNK
ENCODING alerts - our detection for "chunk encoding" is set to the default
chunks larger than 500000.

Unfortunately I don't have pcap for all the alerts, but the one's I was
able to view in wireshark don't seem to have any Transfer-Encoding: chunked
in the HTTP response/request traffic. My understanding was this
preprocessor was firing only if it detected an HTTP request/response that
was larger than 500000 using chunked encoding.

So my question is can someone provide more detail on what causes this
preprocessor rule to fire.  And is there any other traffic that could be
causing a false positive.

Thanks,

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!