[Pgbuildfarm-members] Build farm triggering Snort alerts...

Just something interesting I noticed. The scripts are triggering Snort alerts (BARE BYTE UNICODE ENCODING and OVERSIZE REQUEST-URI DIRECTORY), on the outbound session when sending results.

Cheers,
Rob

--
21:58:04 up 10 days, 8:16, 6 users, load average: 2.05, 2.09, 2.05
Linux 2.6.12-12mdkcustom #2 SMP Sat Dec 17 15:34:49 EST 2005

Robert Creager said:
>
> Just something interesting I noticed. The scripts are triggering Snort
> alerts (BARE BYTE UNICODE ENCODING and OVERSIZE REQUEST-URI DIRECTORY),
> on the outbound session when sending results.
>

Then snort is being absurdly paranoid, and needs to chill. ;-)

The supposed "directory" doesn't exist, of course. What it probably thinks
is a directory name is in fact the request signature which we append to the
URL and the script extracts via PATHINFO. e.g.:

127.0.0.1 - - [28/Dec/2005:02:37:50 -0800] "POST
/cgi-bin/pgstatus.pl/aaac141e46ea17aee8cf3012adc174fcac273e62 HTTP/1.1"
200 59
as for the unicode - I have no idea what it's talking about - perl's LWP
should be encoding anything that requires it properly.

If someone can work out snort settings to silence these alerts then please
let us all know - I don't use snort so I have no idea.

cheers

andrew