[Snort-users] snort and http_inspect

Joel Esler jesler at ...1935...
Tue Feb 26 21:19:01 EST 2013


Can you send the pcap off list?

--
Joel Esler
Sent from my iPhone 

On Feb 26, 2013, at 8:41 PM, Ruyk <lonely.ruyk at ...9554...> wrote:

> Hello, list.
> 
> I have problem with snort at Ubuntu server 12 (x86_64).
> HTTP inspect preprocessor won't handle HTTP packages.
> 
> I write test rule in local.rules:
> 
> alert tcp any any <> any any (msg:"test alert";content:"GET"; nocase; http_header; classtype:trojan-activity; sid:2000004201;)
> 
> then I run snort like this:
> /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -r /tmp/test_http_alerts.pcap
> 
> where test_http_alerts.pcap contains requests to web server via proxy(3128 port)
> 
> But this alert don't triggers and HTTP inspect reports:
>    POST methods:                         0
>    GET methods:                          0
> 
> Files with additional info in attachment.
> 
> P.S.: Sorry for my English
> <snort.conf>
> <snort_output.txt>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130226/ab63adfc/attachment.html>


More information about the Snort-users mailing list