Snort mailing list archives
tag:session problem
From: Maxim <hittlle () 163 com>
Date: Fri, 25 Nov 2016 09:28:13 +0800 (CST)
Hi snort team, I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of the same session if the attacker triggers this rule alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;) The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as follows snort -c /etc/snort/snort.conf -D after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request and response packets as expected. Then I use postman to send the same HTTP request again, this time, I only see the request packet, but cannot find the response packet. I checked the stream5_tcp configuration items, and there is only a timeout item which I think has something to do with this, I updated it from 180 seconds to 30 seconds and then omitted it and tried again, but I failed. Am I missing anything? Thanks.
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- tag:session problem Maxim (Nov 24)
- Re: tag:session problem Al Lewis (allewi) (Nov 25)