[Snort-users] "HTTP inspect preprocessor: UNKNOWN METHOD"

James Lay jlay at ...13475...
Sat Jun 22 11:51:58 EDT 2013


On 2013-06-20 18:53, James Lay wrote:
> Got a packet capture of one of these you can share?
>
> James
>
> On Jun 20, 2013, at 8:58 AM, saiwer saiwer <saiwer.saiwer at ...11827...
> [4]> wrote:
>

>>
>> [ 0] 00 01 D7 A2 87 45 88 43 E1 0C 53 5C 81 00 01 2C .....E.C..S...,
>>
>> [ 16] 08 00 45 00 05 8C 11 A9 40 00 80 06 D2 62 C0 A8 ..E..... at ...16417...
>> [1]..
>>
>> [ 32] 32 DE 0A 86 13 54 EA 0E 00 50 BF F4 55 2E E7 08
>> 2....T...P..U...
>>
>> [ 48] E0 EB 50 10 80 07 2F C2 00 00 50 4F 53 54 20 2F ..P.../...POST
>> /
>>
>> [ 64] 6F 77 61 43 6F 72 72 65 6F 2F 65 76 2E 6F 77 61
>> owaCorreo/ev.owa
>>
>> [ 80] 3F 6F 65 68 3D 31 26 6E 73 3D 50 65 6E 64 69 6E
>> ?oeh=1&ns=Pendin
>>
>> [ 96] 67 52 65 71 75 65 73 74 26 65 76 3D 46 69 6E 69
>> gRequest&ev=Fini
>>
>> [ 112] 73 68 4E 6F 74 69 66 69 63 61 74 69 6F 6E 52 65
>> shNotificationRe
>>
>> [ 128] 71 75 65 73 74 26 55 41 3D 30 20 48 54 54 50 2F quest&UA=0
>> HTTP/
>>
>> [ 144] 31 2E 31 0D 0A 1.1..


So after using text2pcap, this is a weird packet.  Everything looks 
fine in Wireshark...ethernet, vlan, IP, TCP, but Wireshark simply 
doesn't see this as http..even if forced.  Not much more I can do 
without a better capture.

James




More information about the Snort-users mailing list