Snort mailing list archives
Re: HTTP reassembly problem - Snort 2.9.6.1
From: Mateusz Pigulski <m.pigulski () gmail com>
Date: Thu, 26 Jun 2014 14:45:29 +0200
Hi Joel, have You tried reproduced this issue?? 2014-06-23 8:56 GMT+02:00 Mateusz Pigulski <m.pigulski () gmail com>:
Sure, everything You can find in attachments. During my test I send HTTP POST request via curl: curl -i http://10.11.169.41:50007/kabira/kpsa/submitOrder -H "Content-Type: text/xml" --data-binary "@testreq.xml" In attachment You can find xml file which I sent via curl. 2014-06-23 0:33 GMT+02:00 Joel Esler (jesler) <jesler () cisco com>: Do you have packet captures and a configuration we can use to reproducethe issue? -- Joel Esler Sent from my iPhone On Jun 22, 2014, at 16:04, "Mateusz Pigulski" <m.pigulski () gmail com> wrote: Hello, anybody knows this issue ?? 2014-06-17 23:14 GMT+02:00 Mateusz Pigulski <m.pigulski () gmail com>:Hi experts!!! I am new user in mailing list and also new in snort, so firstly I want say Hello!!. I have configured Snort 2.9.6.1 with daq 2.0.2 and pf_ring 5.6.1. I want use snort to capture HTTP POST which are forwarded to my system. I have problem with configuration the output to store the reassembled packets. When size of HTTP POST is larger then 1500, I can see in my unified2 file that every tcp segemnt is stored as event and packet, so if HTTP POST consist of 2 tcp segments I have 2 events and 2 packets, from my point of view would be better to have only one event and packet for reassembled packet. I have read this thread: http://seclists.org/snort/2012/q4/758, and 2 Years ago it was impossible, so my question is: is it possible to configure in snort 2.9.6.1 output with unified2 to store reassembled packets ?? ------------- BR Mateusz-- ------------ Mateusz ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- ------------ Mateusz
-- ------------ Mateusz
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- HTTP reassembly problem - Snort 2.9.6.1 Mateusz Pigulski (Jun 17)
- Re: HTTP reassembly problem - Snort 2.9.6.1 Mateusz Pigulski (Jun 22)
- Re: HTTP reassembly problem - Snort 2.9.6.1 Joel Esler (jesler) (Jun 22)
- Re: HTTP reassembly problem - Snort 2.9.6.1 Mateusz Pigulski (Jun 22)
- Re: HTTP reassembly problem - Snort 2.9.6.1 Mateusz Pigulski (Jun 26)
- Re: HTTP reassembly problem - Snort 2.9.6.1 Joel Esler (jesler) (Jun 27)
- Re: HTTP reassembly problem - Snort 2.9.6.1 Mateusz Pigulski (Jun 27)
- Re: HTTP reassembly problem - Snort 2.9.6.1 Joel Esler (jesler) (Jun 22)
- Re: HTTP reassembly problem - Snort 2.9.6.1 Mateusz Pigulski (Jun 22)