Re: HTTP reassembly problem

[João Lima <joao.pedro.paulino.lima () gmail com>]

No. I'm using output unified2

In most cases I'm able to get the packet from the event.

Only when reassembled packets are involved, the unified2Packet is missing.

João Lima

2012/10/10 beenph <beenph () gmail com>

> On Wed, Oct 10, 2012 at 1:35 PM, João Lima
> <joao.pedro.paulino.lima () gmail com> wrote:
> > Ok I think it is getting somewhere...
> >
> > Using the -A cmg option with the tweaked rule Russ sent me I see that the
> > alert is being sent on the reassembled packet...
> >
> > However, when I remove the -A cmg option to have the output being sent to
> > unified2 the packet suddenly does not appear...
> >
> > When I inject the pcap on the network, the only thing I receive in
> unified2
> > is the unified2Event and never receive the unified2Packet...
> >
> > Is it needed extra configuration to send reassembled packets to
> unified2??
> > Thank you in advance for your help. You have been great.
> >
> > João Lima
> Do you use output unified2:?
>
> Sounds like you are using output alert_unified2:
>
> -elz
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!