http_inspect claims no cookies in trafficr?

[Eoin Miller <eoin.miller () trojanedbinaries com>]

  Trying to play around with doing detection based on cookie content, 
and it simply appears to just not be working?

Request (hostnames modified as they are malicious malware domains prior 
to posting to list):
===============================================================================
GET /down.php?c=947 HTTP/1.0

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-excel, 
application/vnd.ms-powerpoint, application/msword, 
application/x-silverlight, application/xaml+xml, 
application/vnd.ms-xpsdocument, application/x-ms-xbap, 
application/x-ms-application, */*
Referer: hXXp://go12_._scrapper-site_._net/3/?c=947
Accept-Language: 
en-us,zh-cn;q=0.9,zh-hk;q=0.7,zh-mo;q=0.6,zh-sg;q=0.4,zh-tw;q=0.3,zh;q=0.1
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 
1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; 
InfoPath.2; MS-RTC LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: go12_._scrapper-site_._net
Connection: Keep-Alive
Cookie: WinSec_site_u=1; qwEXas=947
===============================================================================

Rule that does not fire:
alert tcp $HOME_NET any-> $EXTERNAL_NET $HTTP_PORTS (msg:"TEST 
http_cookie WinSec"; flow:established,to_server; 
content:"WinSec_site_u=1"; http_cookie; classtype:bad-unknown; 
sid:9999999; rev:1;)



This was driving me crazy until I noticed the HTTP Inspect output saying 
there are response or request cookies extracted?
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
     POST methods:                         0
     GET methods:                          2
     HTTP Request Headers extracted:       2
     HTTP Request Cookies extracted:       0
     Post parameters extracted:            0
     HTTP response Headers extracted:      0
     HTTP Response Cookies extracted:      0
     Unicode:                              0
     Double unicode:                       0
     Non-ASCII representable:              0
     Base 36:                              0
     Directory traversals:                 0
     Extra slashes ("//"):                 0
     Self-referencing paths ("./"):        0
     HTTP Response Gzip packets extracted: 0
     Gzip Compressed Data Processed:       n/a
     Gzip Decompressed Data Processed:     n/a
     Total packets processed:              71
===============================================================================

Ive tried other bits of traffic when the server is setting the cookie as 
well and even then, it never says any http response or request cookies 
are extracted. Is there some compilation option or other configuration 
setting that needs to be set for this to work? What gives?

$ snort --version

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.8.6 (Build 38)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
            Using PCRE version: 7.4 2007-09-21
            Using ZLIB version: 1.2.3.3


-- Eoin

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users