Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Content checking in reassembled packets

From: Joel Esler <eslerj () gmail com>
Date: Sat, 24 Jan 2009 09:13:39 -0500
How far down in the HTTP packet is the traffic you are attempting to
alert on?  set your flow_depth in http_inspect to "0" (as a test) and
try again.

I don't recommend you keep the setting at that number.  But you can try it.

BTW -- you don't need to do 1:65535.  Just put "any".

J

On Sat, Jan 24, 2009 at 2:37 AM, bahamin takhtaei <b_takhtaei () yahoo com> wrote:

Hi everybody,
I want to find a specific content in some reassembled TCP packets;

I add these rules to Snort:

alert tcp any 1:65535 -> any 1:65535 (msg:"content test"; flow:from_server,
established; content:"cart directory"; sid:1000000;)
alert tcp any 1:65535 -> any 1:65535 (msg:"content test"; flow:from_server,
only_stream; content:"cart directory"; sid:1000001;)
--------------------------------------------------------------------------

and I configure Stream4 in snort.conf:

preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble

Then send http traffic to the Snort-machine that contains the specific
content.
(I capture the traffic and check its validity), but the rules are not
trigger! Why please?!
(Notice: when the content set in a single packet Snort finds it)

Thanks.


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: