Re: "http_client_body" rule not working

[rmkml <rmkml () yahoo fr>]

Thx Shaiming for your reply,

can you more explain your tests please?

what's your web request/cmd line ? post your python script please?

Your Snort config ? cmd line ?
Repost your exact snort rules please ?
Do you have disable cksum for testing please?

Can you run tcpdump like for full network capture please?

Can you detail your IPS os_linux/snort please? daq ? iptables/netfilter ?

Regards
Rmkml


On Fri, 27 Jul 2012, Shaiming Hsiung wrote:

> > Can you try with wget or curl cmd line please?
> > like http post: wget --post-data="world" http://<target_host>:80/hello
> >
> > On your example, you have missed ending your web request by "HTTP/1.0" or
> > "HTTP/1.1"...
>
>    Sorry, I didn't realize the POST command didn't include the
> protocol.
>
>    Anyways, the problem was also present when making the request
> via Firefox or Python urllib2.urlopen. I just tried with wget, as you
> suggested, but Snort still is not dropping (or alerting) the packet.
>
>    Thanks again for your help,
>
> --
> Shaiming Hsiung

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!