Snort mailing list archives
Re: Strange HTTP results
From: Jeremy Hoel <jthoel () gmail com>
Date: Sat, 15 Dec 2012 22:58:51 -0700
A copy of the rule and a pcap of the traffic would be helpful. On Sat, Dec 15, 2012 at 8:21 PM, Michael Papagiorgio <mrapagiorgio () gmail com> wrote:
Dear snort gurus, I am trying to see why a rule didn't fire on a snort 2.9.4 system, but it does on a different system running snort 2.9.2.1. I am reading from the same pcap file on each system. The rule hits on a certain HTTP POST pattern. The 2.9.2.1 system correctly identifies and throws an alert. 2.9.4 doesn't even see any HTTP POSTs in the pcap at all. I upgraded from 2.9.3.2 to to 2.9.4 to see if I could get it to work, but neither version worked. The rule will never fire if the issue is so low level that snort sees no POSTs. I tried using the working 2.9.2.1 snort.conf on the 2.9.4 system, but that didn't work either. Can someone give me an idea where to look, this is really vexing me.
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Strange HTTP results Michael Papagiorgio (Dec 15)
- Re: Strange HTTP results Jeremy Hoel (Dec 15)
- Re: Strange HTTP results Joel Esler (Dec 16)