Snort mailing list archives
Re: RE : Re: http_header usage
From: rmkml <rmkml () yahoo fr>
Date: Tue, 22 Apr 2014 20:49:44 +0200 (CEST)
Thx Cagri, ok could you write your test on pcap with snort/tcpdump like please ? (for replay your tests, full payload please) another test: could you remove your "ipvar" to any please ? (only for testing) alert tcp any any -> any any (msg:"Test rule"; flow:to_server,established; content:"GET"; http_method; sid:1;) What is your snort version please ? ids mode ? span/tap ? ips/inline mode ? nfq ? afpacket? pfring ? How you start snort please ? Post your full snort.conf please ? Regards @Rmkml On Tue, 22 Apr 2014, Cagri Ersen wrote:
Hi Rmkml, On Tue, Apr 22, 2014 at 8:05 PM, rmkml <rmkml () yahoo fr> wrote: Please try disable cksum verification? ( -k none ) Unfortunately, it didn't work. This is very strange problem since the snort extracts the headers but http_keywords just ignore them. Here is the http_inspect summary for a http request: HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 1 HTTP Request Headers extracted: 1 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 1 HTTP Response Cookies extracted: 1 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 60 -- Cagri Ersen http://www.syslogs.org
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- RE : Re: http_header usage rmkml (Apr 22)
- Re: RE : Re: http_header usage Cagri Ersen (Apr 22)
- Re: RE : Re: http_header usage rmkml (Apr 22)
- Re: RE : Re: http_header usage Cagri Ersen (Apr 22)
- Re: RE : Re: http_header usage Cagri Ersen (Apr 23)
- Re: RE : Re: http_header usage lists () packetmail net (Apr 23)
- Re: RE : Re: http_header usage Cagri Ersen (Apr 23)
- Re: RE : Re: http_header usage rmkml (Apr 22)
- Re: RE : Re: http_header usage Cagri Ersen (Apr 22)