[Snort-users] Strange HTTP results

Jeremy Hoel jthoel at ...11827...
Sun Dec 16 00:58:51 EST 2012

A copy of the rule and a pcap of the traffic would be helpful.

On Sat, Dec 15, 2012 at 8:21 PM, Michael Papagiorgio
<mrapagiorgio at ...11827...> wrote:
> Dear snort gurus,
> I am trying to see why a rule didn't fire on a snort 2.9.4 system, but it
> does on a different system running snort  I am reading from the
> same pcap file on each system.  The rule hits on a certain HTTP POST
> pattern.  The system correctly identifies and throws an alert.
> 2.9.4 doesn't even see any HTTP POSTs in the pcap at all.  I upgraded from
> to to 2.9.4 to see if I could get it to work, but neither  version
> worked.  The rule will never fire if the issue is so low level that snort
> sees no POSTs.  I tried using the working snort.conf on the 2.9.4
> system, but that didn't work either.
> Can someone give me an idea where to look, this is really vexing me.

More information about the Snort-users mailing list