[Snort-devel] PB (bug ?) with snort ...

Benoit CAMREDON ben.camredon at ...1801...
Thu Jan 30 08:26:09 EST 2003


    Hi everybody,

First, sorry for my english, it is very bad ...
I have a problem with snort, i don't know if it's a problem of my rules, 
or a problem of snort (certainly a problem of my rules :) ... )
I want to decode an HTTP conversation (with POST method) between two hosts :

    log tcp 217.12.3.11 80 <> 192.168.1.104 any (msg: "HTTP dialog with 
yahoo"; session:printable;)

Firs, i thought that it was working ...
Two files was created : 192.168.1.104/SESSION\:56596-80 and 
192.168.1.104/TCP\:56596-80

SESSION\:56596-80 :

POST / HTTP/1.1^M
Host: fr.yahoo.com^M
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) 
Gecko/20020722^M
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1^M
Accept-Language: fr, fr-fr;q=0.75, en-us;q=0.50, en;q=0.25^M
Accept-Encoding: gzip, deflate, compress;q=0.9^M
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66^M
Keep-Alive: 300^M
Connection: keep-alive^M
Cookie: B=ced5u48umpru4&b=2^M
Content-Type: application/x-www-form-urlencoded^M
Content-Length: 10^M
^M
field=toto

POST / HTTP/1.1^M
Host: fr.yahoo.com^M
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) 
Gecko/20020722^M
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1^M
Accept-Language: fr, fr-fr;q=0.75, en-us;q=0.50, en;q=0.25^M
Accept-Encoding: gzip, deflate, compress;q=0.9^M
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66^M
Keep-Alive: 300^M
Connection: keep-alive^M
Cookie: B=ced5u48umpru4&b=2^M
Content-Type: application/x-www-form-urlencoded^M
Content-Length: 10^M
^M
field=toto

HTTP/1.1 501 Method Not Implemented^M
Date: Thu, 30 Jan 2003 15:45:06 GMT^M
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR 
ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi 
PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"^M
Allow: TRACE^M
Connection: close^M
Transfer-Encoding: chunked^M
Content-Type: text/html; charset=iso-8859-1^M
^M
37a    ^M
<html>...</html>

As you can see, there are two POST requests .... In fact there is only 
one (snort and tcpdump snif only one request). I dont' understand why 
the detection engine shows two requests !

The other file was strange too :

[**] HTTP dialog with yahoo [**]
01/30-16:44:02.310235 0:8:A1:26:75:73 -> 0:40:F4:18:B6:44 type:0x800 
len:0x4A
192.168.1.104:56596 -> 217.12.3.11:80 TCP TTL:64 TOS:0x0 ID:11128 
IpLen:20 DgmLen:60 DF
******S* Seq: 0x8B4207EF  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 572927127 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] HTTP dialog with yahoo [**]
01/30-16:44:02.382461 0:40:F4:18:B6:44 -> 0:8:A1:26:75:73 type:0x800 
len:0x3C
217.12.3.11:80 -> 192.168.1.104:56596 TCP TTL:52 TOS:0x0 ID:39424 
IpLen:20 DgmLen:44 DF
***A**S* Seq: 0xB1ACB4ED  Ack: 0x8B4207F0  Win: 0x4230  TcpLen: 24
TCP Options (1) => MSS: 1412

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] HTTP dialog with yahoo [**]
01/30-16:44:02.382526 0:8:A1:26:75:73 -> 0:40:F4:18:B6:44 type:0x800 
len:0x36
192.168.1.104:56596 -> 217.12.3.11:80 TCP TTL:64 TOS:0x0 ID:11129 
IpLen:20 DgmLen:40 DF
***A**** Seq: 0x8B4207F0  Ack: 0xB1ACB4EE  Win: 0x16D0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] HTTP dialog with yahoo [**]
01/30-16:44:02.382662 0:8:A1:26:75:73 -> 0:40:F4:18:B6:44 type:0x800 
len:0x257
192.168.1.104:56596 -> 217.12.3.11:80 TCP TTL:64 TOS:0x0 ID:11130 
IpLen:20 DgmLen:585 DF
***AP*** Seq: 0x8B4207F0  Ack: 0xB1ACB4EE  Win: 0x16D0  TcpLen: 20
50 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D  POST / HTTP/1.1.
0A 48 6F 73 74 3A 20 66 72 2E 79 61 68 6F 6F 2E  .Host: fr.yahoo.
63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  com..User-Agent:
20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 58 31   Mozilla/5.0 (X1
31 3B 20 55 3B 20 4C 69 6E 75 78 20 69 36 38 36  1; U; Linux i686
3B 20 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 31 62  ; en-US; rv:1.1b
29 20 47 65 63 6B 6F 2F 32 30 30 32 30 37 32 32  ) Gecko/20020722
0D 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 78  ..Accept: text/x
6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78  ml,application/x
6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78  ml,application/x
68 74 6D 6C 2B 78 6D 6C 2C 74 65 78 74 2F 68 74  html+xml,text/ht
6D 6C 3B 71 3D 30 2E 39 2C 74 65 78 74 2F 70 6C  ml;q=0.9,text/pl
61 69 6E 3B 71 3D 30 2E 38 2C 76 69 64 65 6F 2F  ain;q=0.8,video/
78 2D 6D 6E 67 2C 69 6D 61 67 65 2F 70 6E 67 2C  x-mng,image/png,
69 6D 61 67 65 2F 6A 70 65 67 2C 69 6D 61 67 65  image/jpeg,image
2F 67 69 66 3B 71 3D 30 2E 32 2C 74 65 78 74 2F  /gif;q=0.2,text/
63 73 73 2C 2A 2F 2A 3B 71 3D 30 2E 31 0D 0A 41  css,*/*;q=0.1..A
63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20  ccept-Language:
66 72 2C 20 66 72 2D 66 72 3B 71 3D 30 2E 37 35  fr, fr-fr;q=0.75
2C 20 65 6E 2D 75 73 3B 71 3D 30 2E 35 30 2C 20  , en-us;q=0.50,
65 6E 3B 71 3D 30 2E 32 35 0D 0A 41 63 63 65 70  en;q=0.25..Accep
74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70  t-Encoding: gzip
2C 20 64 65 66 6C 61 74 65 2C 20 63 6F 6D 70 72  , deflate, compr
65 73 73 3B 71 3D 30 2E 39 0D 0A 41 63 63 65 70  ess;q=0.9..Accep
74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38  t-Charset: ISO-8
38 35 39 2D 31 2C 20 75 74 66 2D 38 3B 71 3D 30  859-1, utf-8;q=0
2E 36 36 2C 20 2A 3B 71 3D 30 2E 36 36 0D 0A 4B  .66, *;q=0.66..K
65 65 70 2D 41 6C 69 76 65 3A 20 33 30 30 0D 0A  eep-Alive: 300..
43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70  Connection: keep
2D 61 6C 69 76 65 0D 0A 52 65 66 65 72 65 72 3A  -alive..Referer:
20 68 74 74 70 3A 2F 2F 76 69 72 74 75 61 6C 5F   http://virtual_
62 65 6E 3A 38 30 38 30 2F 74 6F 74 6F 2E 68 74  ben:8080/toto.ht
6D 6C 0D 0A 43 6F 6F 6B 69 65 3A 20 42 3D 63 65  ml..Cookie: B=ce
64 35 75 34 38 75 6D 70 72 75 34 26 62 3D 32 0D  d5u48umpru4&b=2.
0A                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] HTTP dialog with yahoo [**]
01/30-16:44:02.547751 0:40:F4:18:B6:44 -> 0:8:A1:26:75:73 type:0x800 
len:0x3C
217.12.3.11:80 -> 192.168.1.104:56596 TCP TTL:52 TOS:0x0 ID:39538 
IpLen:20 DgmLen:40 DF
***A**** Seq: 0xB1ACB4EE  Ack: 0x8B420A11  Win: 0x4230  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] HTTP dialog with yahoo [**]
01/30-16:44:02.547801 0:8:A1:26:75:73 -> 0:40:F4:18:B6:44 type:0x800 
len:0x87
192.168.1.104:56596 -> 217.12.3.11:80 TCP TTL:64 TOS:0x0 ID:11131 
IpLen:20 DgmLen:121 DF
***AP*** Seq: 0x8B420A11  Ack: 0xB1ACB4EE  Win: 0x16D0  TcpLen: 20
43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70  Content-Type: ap
70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D  plication/x-www-
66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D  form-urlencoded.
0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A  .Content-Length:
20 31 30 0D 0A 0D 0A 66 69 65 6C 64 3D 74 6F 74   10....field=tot
6F                                               o

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] HTTP dialog with yahoo [**]
01/30-16:44:02.610596 0:8:A1:26:75:73 -> 0:40:F4:18:B6:44 type:0x800 
len:0x2A8
192.168.1.104:56596 -> 217.12.3.11:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 
DgmLen:666
***AP*** Seq: 0xB1ACB4EE  Ack: 0x8B420A62  Win: 0x4230  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 35 30 31 20 4D 65 74  HTTP/1.1 501 Met
68 6F 64 20 4E 6F 74 20 49 6D 70 6C 65 6D 65 6E  hod Not Implemen
74 65 64 0D 0A 44 61 74 65 3A 20 54 68 75 2C 20  ted..Date: Thu,
33 30 20 4A 61 6E 20 32 30 30 33 20 31 35 3A 34  30 Jan 2003 15:4
35 3A 30 36 20 47 4D 54 0D 0A 50 33 50 3A 20 70  5:06 GMT..P3P: p
6F 6C 69 63 79 72 65 66 3D 22 68 74 74 70 3A 2F  olicyref="http:/
2F 70 33 70 2E 79 61 68 6F 6F 2E 63 6F 6D 2F 77  /p3p.yahoo.com/w
33 63 2F 70 33 70 2E 78 6D 6C 22 2C 20 43 50 3D  3c/p3p.xml", CP=
22 43 41 4F 20 44 53 50 20 43 4F 52 20 43 55 52  "CAO DSP COR CUR
20 41 44 4D 20 44 45 56 20 54 41 49 20 50 53 41   ADM DEV TAI PSA
20 50 53 44 20 49 56 41 69 20 49 56 44 69 20 43   PSD IVAi IVDi C
4F 4E 69 20 54 45 4C 6F 20 4F 54 50 69 20 4F 55  ONi TELo OTPi OU
52 20 44 45 4C 69 20 53 41 4D 69 20 4F 54 52 69  R DELi SAMi OTRi
20 55 4E 52 69 20 50 55 42 69 20 49 4E 44 20 50   UNRi PUBi IND P
48 59 20 4F 4E 4C 20 55 4E 49 20 50 55 52 20 46  HY ONL UNI PUR F
49 4E 20 43 4F 4D 20 4E 41 56 20 49 4E 54 20 44  IN COM NAV INT D
45 4D 20 43 4E 54 20 53 54 41 20 50 4F 4C 20 48  EM CNT STA POL H
45 41 20 50 52 45 20 47 4F 56 22 0D 0A 41 6C 6C  EA PRE GOV"..All
6F 77 3A 20 54 52 41 43 45 0D 0A 43 6F 6E 6E 65  ow: TRACE..Conne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 54 72  ction: close..Tr
61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A  ansfer-Encoding:
20 63 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E   chunked..Conten
74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D  t-Type: text/htm
6C 3B 20 63 68 61 72 73 65 74 3D 69 73 6F 2D 38  l; charset=iso-8
38 35 39 2D 31 0D 0A 0D 0A 33 37 61 20 20 20 20  859-1....37a
0D 0A 3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 3C 74  ..<html><head><t
69 74 6C 65 3E 59 61 68 6F 6F 21 20 2D 0A 35 30  itle>Yahoo! -.50
31 20 4D 65 74 68 6F 64 20 4E 6F 74 20 49 6D 70  1 Method Not Imp
6C 65 6D 65 6E 74 65 64 3C 2F 74 69 74 6C 65 3E  lemented</title>
3C 2F 68 65 61 64 3E 3C 62 6F 64 79 3E 3C 63 65  </head><body><ce
6E 74 65 72 3E 3C 74 61 62 6C 65 0A 77 69 64 74  nter><table.widt
68 3D 22 39 34 25 22 20 63 65 6C 6C 70 61 64 64  h="94%" cellpadd
69 6E 67 3D 34 20 63 65 6C 6C 73 70 61 63 69 6E  ing=4 cellspacin
67 3D 30 3E 3C 74 72 3E 3C 74 64 0A 77 69 64 74  g=0><tr><td.widt
68 3D 22 31 25 22 3E 3C 61 20 68 72 65 66 3D 68  h="1%"><a href=h
74 74 70 3A 2F 2F 77 77 77 2E 79 61 68 6F 6F 2E  ttp://www.yahoo.
63 6F 6D 3E 3C 69 6D 67 0A 73 72 63 3D 68 74 74  com><img.src=htt
70 3A 2F 2F 75 73 2E 69 31 2E 79 69 6D 67 2E 63  p://us.i1.yimg.c
6F 6D 2F 75 73 2E 79 69 6D 67 2E 63 6F 6D 2F 69  om/us.yimg.com/i
2F 79 61 68 6F 6F 2E 67 69 66 0A 61 6C 74 3D 22  /yahoo.gif.alt="
59 61 68 6F 6F 21 22 0A 77 69 64 74 68 3D 31 34  Yahoo!".width=14
37 20 68 65 69 67 68 74 3D 33 31 20 62 6F 72 64  7 height=31 bord
65 72 3D 30 3E 3C 2F 61 3E 3C 2F 74 64 3E 3C 74  er=0></a></td><t
64 20 61 6C 69 67 6E 3D 72 69 67 68 74 0A 6E 6F  d align=right.no
77 72 61 70 20 76 61 6C 69 67 6E 3D 62 6F 74 74  wrap valign=bott
6F 6D 3E 3C 66 6F 6E 74 20 66 61 63 65 3D 41 72  om><font face=Ar
69 61 6C 20 73 69 7A 65 3D 2D 31 3E 3C 61 0A 68  ial size=-1><a.h
72 65 66 3D 68 74 74 70 3A 2F 2F 68 65 6C 70 2E  ref=http://help.
79 61 68 6F 6F 2E 63 6F 6D 3E 48 65 6C 70 3C 2F  yahoo.com>Help</
61 3E 3C 2F 66 6F 6E 74 3E 3C 68 72 0A 73 69 7A  a></font><hr.siz
65 3D 31 20 6E 6F 73 68 61 64 65 3E 3C 2F 74 64  e=1 noshade></td
3E 3C 2F 74 72 3E 3C 2F 74 61 62 6C 65 3E 3C 74  ></tr></table><t
61 62 6C 65 20 77 69 64 74 68 3D 22 39 34 25 22  able width="94%"
0A 63 65 6C 6C 70 61 64 64 69 6E 67 3D 34 20 63  .cellpadding=4 c
65 6C 6C 73 70 61 63 69 6E 67 3D 30 3E 3C 74 72  ellspacing=0><tr
3E 3C 74 64 20 62 67 63 6F 6C 6F 72 3D 61 30 62  ><td bgcolor=a0b
38 63 38 3E 3C 66 6F 6E 74 0A 73 69 7A 65 3D 2B  8c8><font.size=+
31 20 66 61 63 65 3D 41 72 69 61 6C 3E 3C 62 3E  1 face=Arial><b>
4D 65 74 68 6F 64 20 4E 6F 74 20 49 6D 70 6C 65  Method Not Imple
6D 65 6E 74 65 64 3C 2F 62 3E 3C 2F 66 6F 6E 74  mented</b></font
3E 3C 2F 74 64 3E 3C 2F 74 72 3E 3C 74 72 3E 3C  ></td></tr><tr><
74 64 3E 0A 50 4F 53 54 20 74 6F 20 2F 20 6E 6F  td>.POST to / no
74 20 73 75 70 70 6F 72 74 65 64 2E 3C 50 3E 0A  t supported.<P>.
3C 70 3E 3C 63 65 6E 74 65 72 3E 3C 68 72 20 73  <p><center><hr s
69 7A 65 3D 31 20 6E 6F 73 68 61 64 65 3E 3C 66  ize=1 noshade><f
6F 6E 74 20 73 69 7A 65 3D 2D 32 20 66 61 63 65  ont size=-2 face
3D 41 72 69 61 6C 3E 43 6F 70 79 72 69 67 68 74  =Arial>Copyright
0A 26 63 6F 70 79 3B 20 32 30 30 33 20 59 61 68  .© 2003 Yah
6F 6F 21 20 49 6E 63 2E 20 41 6C 6C 20 72 69 67  oo! Inc. All rig
68 74 73 20 72 65 73 65 72 76 65 64 2E 0A 3C 61  hts reserved..<a
20 68 72 65 66 3D 68 74 74 70 3A 2F 2F 70 72 69   href=http://pri
76 61 63 79 2E 79 61 68 6F 6F 2E 63 6F 6D 3E 50  vacy.yahoo.com>P
72 69 76 61 63 79 20 50 6F 6C 69 63 79 3C 2F 61  rivacy Policy</a
3E 20 2D 0A 3C 61 20 68 72 65 66 3D 68 74 74 70  > -.<a href=http
3A 2F 2F 64 6F 63 73 2E 79 61 68 6F 6F 2E 63 6F  ://docs.yahoo.co
6D 2F 69 6E 66 6F 2F 74 65 72 6D 73 2F 3E 54 65  m/info/terms/>Te
72 6D 73 20 6F 66 0A 53 65 72 76 69 63 65 3C 2F  rms of.Service</
61 3E 3C 2F 66 6F 6E 74 3E 3C 2F 63 65 6E 74 65  a></font></cente
72 3E 3C 2F 74 64 3E 3C 2F 74 72 3E 3C 2F 74 61  r></td></tr></ta
62 6C 65 3E 3C 2F 63 65 6E 74 65 72 3E 3C 2F 62  ble></center></b
6F 64 79 3E 3C 2F 68 74 6D 6C 3E 0A 0D 0A 30 0D  ody></html>...0.
0A 0D 0A                                         ...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] HTTP dialog with yahoo [**]
01/30-16:44:02.610596 0:40:F4:18:B6:44 -> 0:8:A1:26:75:73 type:0x800 
len:0x549
217.12.3.11:80 -> 192.168.1.104:56596 TCP TTL:52 TOS:0x0 ID:39581 
IpLen:20 DgmLen:1339 DF
***AP*** Seq: 0xB1ACB4EE  Ack: 0x8B420A62  Win: 0x4230  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 35 30 31 20 4D 65 74  HTTP/1.1 501 Met
68 6F 64 20 4E 6F 74 20 49 6D 70 6C 65 6D 65 6E  hod Not Implemen
74 65 64 0D 0A 44 61 74 65 3A 20 54 68 75 2C 20  ted..Date: Thu,
33 30 20 4A 61 6E 20 32 30 30 33 20 31 35 3A 34  30 Jan 2003 15:4
35 3A 30 36 20 47 4D 54 0D 0A 50 33 50 3A 20 70  5:06 GMT..P3P: p
6F 6C 69 63 79 72 65 66 3D 22 68 74 74 70 3A 2F  olicyref="http:/
2F 70 33 70 2E 79 61 68 6F 6F 2E 63 6F 6D 2F 77  /p3p.yahoo.com/w
33 63 2F 70 33 70 2E 78 6D 6C 22 2C 20 43 50 3D  3c/p3p.xml", CP=
22 43 41 4F 20 44 53 50 20 43 4F 52 20 43 55 52  "CAO DSP COR CUR
20 41 44 4D 20 44 45 56 20 54 41 49 20 50 53 41   ADM DEV TAI PSA
20 50 53 44 20 49 56 41 69 20 49 56 44 69 20 43   PSD IVAi IVDi C
4F 4E 69 20 54 45 4C 6F 20 4F 54 50 69 20 4F 55  ONi TELo OTPi OU
52 20 44 45 4C 69 20 53 41 4D 69 20 4F 54 52 69  R DELi SAMi OTRi
20 55 4E 52 69 20 50 55 42 69 20 49 4E 44 20 50   UNRi PUBi IND P
48 59 20 4F 4E 4C 20 55 4E 49 20 50 55 52 20 46  HY ONL UNI PUR F
49 4E 20 43 4F 4D 20 4E 41 56 20 49 4E 54 20 44  IN COM NAV INT D
45 4D 20 43 4E 54 20 53 54 41 20 50 4F 4C 20 48  EM CNT STA POL H
45 41 20 50 52 45 20 47 4F 56 22 0D 0A 41 6C 6C  EA PRE GOV"..All
6F 77 3A 20 54 52 41 43 45 0D 0A 43 6F 6E 6E 65  ow: TRACE..Conne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 54 72  ction: close..Tr
61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A  ansfer-Encoding:
20 63 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E   chunked..Conten
74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D  t-Type: text/htm
6C 3B 20 63 68 61 72 73 65 74 3D 69 73 6F 2D 38  l; charset=iso-8
38 35 39 2D 31 0D 0A 0D 0A 33 37 61 20 20 20 20  859-1....37a

This file (which is produce in the same session) shows that there is two 
server answer ... In fact there is only one ! And the red packet is 
completely wrong, it should be a communication from the server to the 
client, and not from the client to the server (the following packet is 
good).

I don't understand why a detection in the same session shows two 
different answer, and why noone is a good answer.

Thank you in advance


Ben





More information about the Snort-devel mailing list