Snort mailing list archives
Re: Snort 2.9.13 not recognizing server response in PCAP.
From: My Account via Snort-users <snort-users () lists snort org>
Date: Fri, 31 May 2019 23:04:48 -0400
Hi Al, Thanks for the response. Unfortunately, I can not share the PCAP. Port 8080 is in the HTTP stream. How would I check for the proper http preprocessors? Interestingly, when i removed *established *from the rule, it worked. I am not sure why because the server responded with a HTTP OK. Thanks. On Fri, May 31, 2019 at 10:36 AM Al Lewis (allewi) <allewi () cisco com> wrote:
Is port 8080 within your stream and http preprocessors? Can you share the pcap? *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com *From: *Snort-users <snort-users-bounces () lists snort org> on behalf of My Account via Snort-users <snort-users () lists snort org> *Reply-To: *My Account <researchitdammit () gmail com> *Date: *Friday, May 31, 2019 at 10:26 AM *To: *"snort-users () lists snort org" <snort-users () lists snort org> *Subject: *[Snort-users] Snort 2.9.13 not recognizing server response in PCAP. Hi, I have a situation where snort does not appear to be recognizing packets that I have in a PCAP. The packet in question is a simple HTTP server response. The rule is setup to read content in the packet. The server port is 8080. At this point, I can not figure out which configuration setting to change to get snort to parse the server response. Sample Rule: alert tcp any any -> any any \ ( \ msg: "Alert"; \ flow:from_server,established; \ content:"password"; \ sid:6000002; rev:1; \ ) Thanks.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort 2.9.13 not recognizing server response in PCAP. My Account via Snort-users (May 31)
- Re: Snort 2.9.13 not recognizing server response in PCAP. Al Lewis (allewi) via Snort-users (Jun 01)
- Re: Snort 2.9.13 not recognizing server response in PCAP. My Account via Snort-users (Jun 01)
- Re: Snort 2.9.13 not recognizing server response in PCAP. Al Lewis (allewi) via Snort-users (Jun 01)
- Re: Snort 2.9.13 not recognizing server response in PCAP. Al Lewis (allewi) via Snort-users (Jun 01)
- Re: Snort 2.9.13 not recognizing server response in PCAP. My Account via Snort-users (Jun 01)
- Re: Snort 2.9.13 not recognizing server response in PCAP. Al Lewis (allewi) via Snort-users (Jun 01)