[Snort-users] HTTP reassembly problem

João Lima joao.pedro.paulino.lima at ...11827...
Wed Oct 10 13:51:57 EDT 2012


No. I'm using output unified2

In most cases I'm able to get the packet from the event.

Only when reassembled packets are involved, the unified2Packet is missing.

João Lima

2012/10/10 beenph <beenph at ...11827...>

> On Wed, Oct 10, 2012 at 1:35 PM, João Lima
> <joao.pedro.paulino.lima at ...11827...> wrote:
> > Ok I think it is getting somewhere...
> >
> > Using the -A cmg option with the tweaked rule Russ sent me I see that the
> > alert is being sent on the reassembled packet...
> >
> > However, when I remove the -A cmg option to have the output being sent to
> > unified2 the packet suddenly does not appear...
> >
> > When I inject the pcap on the network, the only thing I receive in
> unified2
> > is the unified2Event and never receive the unified2Packet...
> >
> > Is it needed extra configuration to send reassembled packets to
> unified2??
> >
> > Thank you in advance for your help. You have been great.
> >
> > João Lima
> Do you use output unified2:?
>
> Sounds like you are using output alert_unified2:
>
> -elz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121010/a9b86aa8/attachment.html>


More information about the Snort-users mailing list