Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users Digest, Vol 98, Issue 97

From: Rowell Dionicio <RDionicio () infracore net>
Date: Fri, 25 Jul 2014 14:43:56 +0000
Okay I gotcha there. My snort output is being dumped into a unified2 format. I added this line:

Output log_tcpdump: tcpdump.log

I'll watch for that traffic again and analyze in Wireshark to determine what's going on. Is there a better output to 
use?

-Rowell


On 7/23/2014 12:21 PM, Rowell Dionicio wrote:

Hi,

I?m new to Snort and just started tuning it. I?m getting a lot of:

http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I don?t want to rule anything out without inspecting it and knowing what it
really means. What resource can I use to look into these various alerts?


one thing to do would be to look at the pcap that snort captured of the traffic 
and see exactly what that traffic is from... i see a lot of it myself and it 
seems to be where 3rd party traffic is pulled for ads and similar...

you can use tcmdump or wireshark to look at the pcap files... you might need to 
look at more than just what snort has captured to get a clear picture, though... 
that could entail enlisting a full packet capture tool to capture all the 
traffic all the time... but then again, one could craft a tcpdump or wireshark 
capture for the specific traffic and grab the flow that way...


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: