Snort mailing list archives
Re: "HTTP inspect preprocessor: UNKNOWN METHOD"
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 22 Jun 2013 09:51:58 -0600
On 2013-06-20 18:53, James Lay wrote:
Got a packet capture of one of these you can share? James On Jun 20, 2013, at 8:58 AM, saiwer saiwer <saiwer.saiwer () gmail com [4]> wrote:
[ 0] 00 01 D7 A2 87 45 88 43 E1 0C 53 5C 81 00 01 2C .....E.C..S..., [ 16] 08 00 45 00 05 8C 11 A9 40 00 80 06 D2 62 C0 A8 ..E.....@....b [1].. [ 32] 32 DE 0A 86 13 54 EA 0E 00 50 BF F4 55 2E E7 08 2....T...P..U... [ 48] E0 EB 50 10 80 07 2F C2 00 00 50 4F 53 54 20 2F ..P.../...POST / [ 64] 6F 77 61 43 6F 72 72 65 6F 2F 65 76 2E 6F 77 61 owaCorreo/ev.owa [ 80] 3F 6F 65 68 3D 31 26 6E 73 3D 50 65 6E 64 69 6E ?oeh=1&ns=Pendin [ 96] 67 52 65 71 75 65 73 74 26 65 76 3D 46 69 6E 69 gRequest&ev=Fini [ 112] 73 68 4E 6F 74 69 66 69 63 61 74 69 6F 6E 52 65 shNotificationRe [ 128] 71 75 65 73 74 26 55 41 3D 30 20 48 54 54 50 2F quest&UA=0 HTTP/ [ 144] 31 2E 31 0D 0A 1.1..
So after using text2pcap, this is a weird packet. Everything looks fine in Wireshark...ethernet, vlan, IP, TCP, but Wireshark simply doesn't see this as http..even if forced. Not much more I can do without a better capture. James ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- "HTTP inspect preprocessor: UNKNOWN METHOD" Jose Luis (Jun 20)
- <Possible follow-ups>
- "HTTP inspect preprocessor: UNKNOWN METHOD" saiwer saiwer (Jun 20)
- Re: "HTTP inspect preprocessor: UNKNOWN METHOD" James Lay (Jun 20)
- Re: "HTTP inspect preprocessor: UNKNOWN METHOD" James Lay (Jun 22)
- Re: "HTTP inspect preprocessor: UNKNOWN METHOD" James Lay (Jun 20)