Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE : Re: http_header usage

From: rmkml <rmkml () yahoo fr>
Date: Tue, 22 Apr 2014 20:49:44 +0200 (CEST)
Thx Cagri,

ok could you write your test on pcap with snort/tcpdump like please ?
(for replay your tests, full payload please)

another test: could you remove your "ipvar" to any please ? (only for testing)
alert tcp any any -> any any (msg:"Test rule"; flow:to_server,established; content:"GET"; http_method; sid:1;)

What is your snort version please ?
ids mode ? span/tap ? ips/inline mode ? nfq ? afpacket? pfring ?
How you start snort please ?
Post your full snort.conf please ?

Regards
@Rmkml


On Tue, 22 Apr 2014, Cagri Ersen wrote:


Hi Rmkml,

On Tue, Apr 22, 2014 at 8:05 PM, rmkml <rmkml () yahoo fr> wrote:
      Please try disable cksum verification? ( -k none )


Unfortunately, it didn't work. 

This is very strange problem since the snort extracts the headers but http_keywords just ignore them.
Here is the http_inspect summary for a http request:

HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          1
    HTTP Request Headers extracted:       1
    HTTP Request Cookies extracted:       0
    Post parameters extracted:            0
    HTTP response Headers extracted:      1
    HTTP Response Cookies extracted:      1
    Unicode:                              0
    Double unicode:                       0
    Non-ASCII representable:              0
    Directory traversals:                 0
    Extra slashes ("//"):                 0
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 0
    Gzip Compressed Data Processed:       n/a
    Gzip Decompressed Data Processed:     n/a
    Total packets processed:              60


--
Cagri Ersen
http://www.syslogs.org


------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: