[Snort-users] Strange HTTP results

Jeremy Hoel jthoel at ...11827...
Sun Dec 16 00:58:51 EST 2012


A copy of the rule and a pcap of the traffic would be helpful.

On Sat, Dec 15, 2012 at 8:21 PM, Michael Papagiorgio
<mrapagiorgio at ...11827...> wrote:
> Dear snort gurus,
>
> I am trying to see why a rule didn't fire on a snort 2.9.4 system, but it
> does on a different system running snort 2.9.2.1.  I am reading from the
> same pcap file on each system.  The rule hits on a certain HTTP POST
> pattern.  The 2.9.2.1 system correctly identifies and throws an alert.
> 2.9.4 doesn't even see any HTTP POSTs in the pcap at all.  I upgraded from
> 2.9.3.2 to to 2.9.4 to see if I could get it to work, but neither  version
> worked.  The rule will never fire if the issue is so low level that snort
> sees no POSTs.  I tried using the working 2.9.2.1 snort.conf on the 2.9.4
> system, but that didn't work either.
>
> Can someone give me an idea where to look, this is really vexing me.




More information about the Snort-users mailing list