no http traffic detected at all

[Edwin Smulders <edwin.smulders () northwave nl>]

Hello,

I have a problem I would like some help with, the http inspect preprocessor is not correctly identifying http methods. 
In my test setup I have 2 machines, 1x Debian 7 (192.168.10.105) and 1x CentOS 6.5 (192.168.10.107). Both are vmware 
guests.
On both these machines I have made a tcpdump of some HTTP requests - just simple wgets.

On both machines I also have a snort install - 2.9.6.1 from the rpm package and self compiled on the debian machine.
At first I was thinking the debian install was having problems detecting HTTP traffic, but it’s slightly different.

When I load the CentOS tcpdump in both installs, they both detect HTTP GET Requests.
When I load the debian tcpdump in both installs, neither detects HTTP GET Requests.

I’ve attached the tcpdumps (if that works to the mailing list, otherwise I’ll host them somewhere), can anybody help me 
find out what is different?

Note that the same thing happened in the (a bit older) snort version + config in the debian package manager.

Config for the debian machine: http://paste.debian.net/99908/
Config for the centos machine: http://paste.debian.net/99909/
They should be similar except for paths. Most rules should be disabled, this is just about the http inspect 
preprocessor detecting the correct methods.

I have output logs for the following commands: 

root@snorttest2:/home/esmulders/snort-2.9.6.1# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-debian.pcap 
&> snort-debianpcap.log
root@snorttest2:/home/esmulders/snort-2.9.6.1# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-centos.pcap 
&> snort-centospcap.log

snort-debianpcap.log: http://paste.debian.net/99910/
snort-centospcap.log: http://paste.debian.net/99911/

In these outputs the relevant lines are:
GET methods:                          0 
and
GET methods:                          10

Can somebody help me debug this? Let me know if you have debugging tips or if I can provide some more information.
I’m available on Freenode/#snort as Dutchy for direct communication (european timezone/business hours work best for me).


Regards,
Edwin

Attachment: http-centos.pcap
Description:

Attachment: http-debian.pcap
Description:

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!