Snort mailing list archives
Re: snort3: problem with http_inspect
From: "Tom Peters (thopeter)" <thopeter () cisco com>
Date: Mon, 27 Feb 2017 16:39:04 +0000
Marcin, I¹m coming into this in the middle and apologies in advance if I have misunderstood. You should not configure http_inspect (the new HTTP inspector) and http_server (the old HTTP inspector) at the same time. One or the other should be commented out in snort.lua by -- or deleted entirely. Tom On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak () gmail com> wrote:
Hi, I have a problem with http_inspect, https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a 73d3bf0438 I make an HTTP request against the machine running snort/nfqueue: # curl -s -m 1 http://192.168.17.30/test and expect my sid:3000001 (see below) to be triggered, but only sid:4000003 is triggered instead. My question is what am I missing to trigger sid:3000001 with the new http_inspect? Now, when in /etc/snort/snort.lua I use -- http_inspect = { } http_server = { } then all but sid:4000001 are triggered:
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3: problem with http_inspect Marcin Dulak (Feb 25)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 25)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 25)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 25)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 26)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 26)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 25)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 25)