Snort mailing list archives

Re: Strange HTTP results

From: Jeremy Hoel <jthoel () gmail com>
Date: Sat, 15 Dec 2012 22:58:51 -0700

A copy of the rule and a pcap of the traffic would be helpful.

On Sat, Dec 15, 2012 at 8:21 PM, Michael Papagiorgio
<mrapagiorgio () gmail com> wrote:

Dear snort gurus,

I am trying to see why a rule didn't fire on a snort 2.9.4 system, but it
does on a different system running snort 2.9.2.1.  I am reading from the
same pcap file on each system.  The rule hits on a certain HTTP POST
pattern.  The 2.9.2.1 system correctly identifies and throws an alert.
2.9.4 doesn't even see any HTTP POSTs in the pcap at all.  I upgraded from
2.9.3.2 to to 2.9.4 to see if I could get it to work, but neither  version
worked.  The rule will never fire if the issue is so low level that snort
sees no POSTs.  I tried using the working 2.9.2.1 snort.conf on the 2.9.4
system, but that didn't work either.

Can someone give me an idea where to look, this is really vexing me.


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Strange HTTP results Michael Papagiorgio (Dec 15)
- Re: Strange HTTP results Jeremy Hoel (Dec 15)
- Re: Strange HTTP results Joel Esler (Dec 16)