[Snort-users] Strange HTTP results
jthoel at ...11827...
Sun Dec 16 00:58:51 EST 2012
A copy of the rule and a pcap of the traffic would be helpful.
On Sat, Dec 15, 2012 at 8:21 PM, Michael Papagiorgio
<mrapagiorgio at ...11827...> wrote:
> Dear snort gurus,
> I am trying to see why a rule didn't fire on a snort 2.9.4 system, but it
> does on a different system running snort 188.8.131.52. I am reading from the
> same pcap file on each system. The rule hits on a certain HTTP POST
> pattern. The 184.108.40.206 system correctly identifies and throws an alert.
> 2.9.4 doesn't even see any HTTP POSTs in the pcap at all. I upgraded from
> 220.127.116.11 to to 2.9.4 to see if I could get it to work, but neither version
> worked. The rule will never fire if the issue is so low level that snort
> sees no POSTs. I tried using the working 18.104.22.168 snort.conf on the 2.9.4
> system, but that didn't work either.
> Can someone give me an idea where to look, this is really vexing me.
More information about the Snort-users