[Snort-users] HTTP reassembly problem
joao.pedro.paulino.lima at ...11827...
Wed Oct 10 13:51:57 EDT 2012
No. I'm using output unified2
In most cases I'm able to get the packet from the event.
Only when reassembled packets are involved, the unified2Packet is missing.
2012/10/10 beenph <beenph at ...11827...>
> On Wed, Oct 10, 2012 at 1:35 PM, João Lima
> <joao.pedro.paulino.lima at ...11827...> wrote:
> > Ok I think it is getting somewhere...
> > Using the -A cmg option with the tweaked rule Russ sent me I see that the
> > alert is being sent on the reassembled packet...
> > However, when I remove the -A cmg option to have the output being sent to
> > unified2 the packet suddenly does not appear...
> > When I inject the pcap on the network, the only thing I receive in
> > is the unified2Event and never receive the unified2Packet...
> > Is it needed extra configuration to send reassembled packets to
> > Thank you in advance for your help. You have been great.
> > João Lima
> Do you use output unified2:?
> Sounds like you are using output alert_unified2:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users