tag:session problem

[Maxim <hittlle () 163 com>]

Hi snort team,
I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of 
the same session if the attacker triggers this rule
             alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; 
classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;) 
The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as 
follows
              snort -c /etc/snort/snort.conf -D 
after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request 
and response packets as expected. Then I use postman to send the same 
HTTP request again, this time, I only see the request packet, but cannot find the response packet. I checked the 
stream5_tcp configuration items, and there is only a timeout item which I think
has something to do with this, I updated it from 180 seconds to 30 seconds and then omitted it and tried again, but I 
failed. Am I missing anything? Thanks.

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!