Snort mailing list archives
Re: Content checking in reassembled packets
From: Joel Esler <eslerj () gmail com>
Date: Sat, 24 Jan 2009 09:13:39 -0500
How far down in the HTTP packet is the traffic you are attempting to alert on? set your flow_depth in http_inspect to "0" (as a test) and try again. I don't recommend you keep the setting at that number. But you can try it. BTW -- you don't need to do 1:65535. Just put "any". J On Sat, Jan 24, 2009 at 2:37 AM, bahamin takhtaei <b_takhtaei () yahoo com> wrote:
Hi everybody, I want to find a specific content in some reassembled TCP packets; I add these rules to Snort: alert tcp any 1:65535 -> any 1:65535 (msg:"content test"; flow:from_server, established; content:"cart directory"; sid:1000000;) alert tcp any 1:65535 -> any 1:65535 (msg:"content test"; flow:from_server, only_stream; content:"cart directory"; sid:1000001;) -------------------------------------------------------------------------- and I configure Stream4 in snort.conf: preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble Then send http traffic to the Snort-machine that contains the specific content. (I capture the traffic and check its validity), but the rules are not trigger! Why please?! (Notice: when the content set in a single packet Snort finds it) Thanks. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content checking in reassembled packets bahamin takhtaei (Jan 23)
- Re: Content checking in reassembled packets Joel Esler (Jan 24)