[Snort-users] HTTP reassembly problem - Snort 2.9.6.1

Mateusz Pigulski m.pigulski at ...11827...
Thu Jun 26 08:45:29 EDT 2014


Hi Joel, have You tried reproduced this issue??


2014-06-23 8:56 GMT+02:00 Mateusz Pigulski <m.pigulski at ...11827...>:

>  Sure, everything You can find in attachments. During my test I send HTTP
> POST request via curl:
>
>  curl -i http://10.11.169.41:50007/kabira/kpsa/submitOrder -H
> "Content-Type: text/xml" --data-binary "@testreq.xml"
>
> In attachment You can find xml file which I sent via curl.
>
>
> 2014-06-23 0:33 GMT+02:00 Joel Esler (jesler) <jesler at ...589...>:
>
>  Do you have packet captures and a configuration we can use to reproduce
>> the issue?
>>
>> --
>> Joel Esler
>> Sent from my iPhone
>>
>> On Jun 22, 2014, at 16:04, "Mateusz Pigulski" <m.pigulski at ...11827...>
>> wrote:
>>
>>   Hello, anybody knows this issue ??
>>
>>
>> 2014-06-17 23:14 GMT+02:00 Mateusz Pigulski <m.pigulski at ...11827...>:
>>
>>>
>>> Hi experts!!!
>>>
>>> I am new user in mailing list and also new in snort, so firstly I want
>>> say Hello!!.
>>> I have configured Snort 2.9.6.1 with daq 2.0.2 and pf_ring 5.6.1. I want
>>> use snort to capture HTTP POST which are forwarded to my system. I have
>>> problem with configuration the output to store the reassembled packets.
>>> When size of HTTP POST is larger then 1500, I can see in my unified2 file
>>> that every tcp segemnt is stored as event and packet, so if HTTP POST
>>> consist of 2 tcp segments I have 2 events and 2 packets, from my point of
>>> view would be better to have only one event and packet for reassembled
>>> packet. I have read this thread: http://seclists.org/snort/2012/q4/758,
>>> and 2 Years ago it was impossible, so my question is: is it possible to
>>> configure in snort 2.9.6.1 output with unified2 to store reassembled
>>> packets ??
>>>
>>>  -------------
>>> BR
>>> Mateusz
>>>
>>
>>
>>
>> --
>>
>> ------------
>> Mateusz
>>
>>
>> ------------------------------------------------------------------------------
>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>> Find What Matters Most in Your Big Data with HPCC Systems
>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>> http://p.sf.net/sfu/hpccsystems
>>
>>  _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>
>
> --
>
> ------------
> Mateusz
>



-- 

------------
Mateusz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140626/2d3a71c6/attachment.html>


More information about the Snort-users mailing list