[Snort-users] Content not being detected

Jimmy Tharel jtharel at ...131...
Mon Feb 9 21:55:14 EST 2009


I recently upgraded from Snort 2.6 to 2.8.3.1 and the following rule has quit working. 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ALERT -
POST - Execution of asp"; flow:to_server,established;
uricontent:"/ab/dir1/"; nocase; uricontent:".asp"; nocase; content:
"POST"; depth: 4; nocase; classtype:web-application-activity;
sid:1000004; rev:2;) 

It worked just fine in 2.6 but for whatever reason does not work in 2.8.3.1. 

My http_inspect section of my snort.conf is the same in both versions: 
preprocessor http_inspect: global \ 
iis_unicode_map unicode.map 1252 
preprocessor http_inspect_server: server default \ 
profile all ports { 80 8080 8180 } oversize_dir_length 500 

Could it be the difference between the Stream4 and Stream5 preprocessor? 
My Stream5 is configured with the defaults and the setup is: 
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ 
track_udp no 
preprocessor stream5_tcp: policy first, use_static_footprint_sizes 

I've read over the Stream5 README but I don't see anything that
would be causing that rule not to work. I've played with the max_tcp
and memcap settings but to no avail. Can anybody help me? 

Thanks! 


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090209/3ec22f6e/attachment.html>


More information about the Snort-users mailing list