Packet Payload not appearing for internal traffic...

["Grimes, Shawn (NIA/IRP)" <GrimesSh () grc nia nih gov>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems my snort is not viewing the packet payload of outboung
traffic. I have two rules setup to monitor for code red/nimba related
activity. One for attacks against us and another for us attacking
other sites (meaning we got infected somewhere). The incoming attacks
rule works great, the outgoing doesn't work at all. here are my
rules: 

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Cmd.exe attempt
against us"; content:"cmd.exe";nocase;)
alert tcp $HOME_NET any -> any 80 (msg:"Cmd.exe attempt from us";
content:"cmd.exe";nocase;)
Again, incoming works great, I can see every box that trys to access
cmd.exe on one of our local computers.
Outgoing however, if I type in a web address say:
http://www.google.com/cmd.exe . I don't get the alert I'm supposed
to. I set up a rule for:
alert tcp any any -> any any (msg: "Flood of traffic";) and I got
several allerts but when I went into the detailed view in Acid of the
alert, the packet payload was empty. Any ideas? 

TIA,
Shawn


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO7zRs9uEKqGIN9SBEQKoQgCeJ7yP9XfX1SPHf9KNljRU1zVlIBgAoL1A
rFP7KTSpYINqAxp+lLyld4CO
=1Vt/
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users