Re: "HTTP inspect preprocessor: UNKNOWN METHOD"

[James Lay <jlay () slave-tothe-box net>]

On 2013-06-20 18:53, James Lay wrote:
> Got a packet capture of one of these you can share?
>
> James
>
> On Jun 20, 2013, at 8:58 AM, saiwer saiwer <saiwer.saiwer () gmail com
> [4]> wrote:

> > [ 0] 00 01 D7 A2 87 45 88 43 E1 0C 53 5C 81 00 01 2C .....E.C..S...,
> >
> > [ 16] 08 00 45 00 05 8C 11 A9 40 00 80 06 D2 62 C0 A8 ..E.....@....b
> > [1]..
> >
> > [ 32] 32 DE 0A 86 13 54 EA 0E 00 50 BF F4 55 2E E7 08
> > 2....T...P..U...
> >
> > [ 48] E0 EB 50 10 80 07 2F C2 00 00 50 4F 53 54 20 2F ..P.../...POST
> > /
> >
> > [ 64] 6F 77 61 43 6F 72 72 65 6F 2F 65 76 2E 6F 77 61
> > owaCorreo/ev.owa
> >
> > [ 80] 3F 6F 65 68 3D 31 26 6E 73 3D 50 65 6E 64 69 6E
> > ?oeh=1&ns=Pendin
> >
> > [ 96] 67 52 65 71 75 65 73 74 26 65 76 3D 46 69 6E 69
> > gRequest&ev=Fini
> >
> > [ 112] 73 68 4E 6F 74 69 66 69 63 61 74 69 6F 6E 52 65
> > shNotificationRe
> >
> > [ 128] 71 75 65 73 74 26 55 41 3D 30 20 48 54 54 50 2F quest&UA=0
> > HTTP/
> >
> > [ 144] 31 2E 31 0D 0A 1.1..


So after using text2pcap, this is a weird packet.  Everything looks 
fine in Wireshark...ethernet, vlan, IP, TCP, but Wireshark simply 
doesn't see this as http..even if forced.  Not much more I can do 
without a better capture.

James

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!