Snort mailing list archives
Re: Complete packet payload search
From: Todd Wease <twease () sourcefire com>
Date: Mon, 26 Oct 2009 06:52:41 -0400
Try setting flow_depth to 0 - this will inspect entire server payload. On 10/26/2009 06:40 AM, luismanuel.carril () usc es wrote:
Hi, I´m trying to use Snort to see if some keywords are crossing the network in any kind of packet. But , for example, with the rule: alert ip any 80 -> any any (content:"foo"; msg:"Foo detected";) If a webserver send me a response with a webpage with the word "foo" it isn´t detected. I´ve seen that http_inspect preprocessor has a flow_depth parameter but even with it with the value of 1460, I still cannot search all the packet payload. What parameters I need to change to make this possible? Thank you Luis M. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Complete packet payload search luismanuel . carril (Oct 26)
- Re: Complete packet payload search Todd Wease (Oct 26)
- <Possible follow-ups>
- Re: Complete packet payload search luismanuel . carril (Oct 26)
- Re: Complete packet payload search Jason Brvenik (Oct 26)
- Re: Complete packet payload search luismanuel . carril (Oct 26)
- Re: Complete packet payload search Jason Brvenik (Oct 26)