[Snort-users] HTTP reassembly problem - Snort 2.9.6.1

Mateusz Pigulski m.pigulski at ...11827...
Fri Jun 27 11:25:42 EDT 2014


ok thx


2014-06-27 16:51 GMT+02:00 Joel Esler (jesler) <jesler at ...589...>:

>  I’ve sent this to the development team
>
>  On Jun 26, 2014, at 8:45 AM, Mateusz Pigulski <m.pigulski at ...11827...>
> wrote:
>
>  Hi Joel, have You tried reproduced this issue??
>
>
> 2014-06-23 8:56 GMT+02:00 Mateusz Pigulski <m.pigulski at ...11827...>:
>
>>   Sure, everything You can find in attachments. During my test I send
>> HTTP POST request via curl:
>>
>>  curl -i http://10.11.169.41:50007/kabira/kpsa/submitOrder -H
>> "Content-Type: text/xml" --data-binary "@testreq.xml"
>>
>>  In attachment You can find xml file which I sent via curl.
>>
>>
>> 2014-06-23 0:33 GMT+02:00 Joel Esler (jesler) <jesler at ...589...>:
>>
>>  Do you have packet captures and a configuration we can use to reproduce
>>> the issue?
>>>
>>> --
>>> Joel Esler
>>> Sent from my iPhone
>>>
>>> On Jun 22, 2014, at 16:04, "Mateusz Pigulski" <m.pigulski at ...11827...>
>>> wrote:
>>>
>>>   Hello, anybody knows this issue ??
>>>
>>>
>>> 2014-06-17 23:14 GMT+02:00 Mateusz Pigulski <m.pigulski at ...11827...>:
>>>
>>>>
>>>> Hi experts!!!
>>>>
>>>> I am new user in mailing list and also new in snort, so firstly I want
>>>> say Hello!!.
>>>> I have configured Snort 2.9.6.1 with daq 2.0.2 and pf_ring 5.6.1. I
>>>> want use snort to capture HTTP POST which are forwarded to my system. I
>>>> have problem with configuration the output to store the reassembled
>>>> packets. When size of HTTP POST is larger then 1500, I can see in my
>>>> unified2 file that every tcp segemnt is stored as event and packet, so if
>>>> HTTP POST consist of 2 tcp segments I have 2 events and 2 packets, from my
>>>> point of view would be better to have only one event and packet for
>>>> reassembled packet. I have read this thread:
>>>> http://seclists.org/snort/2012/q4/758, and 2 Years ago it was
>>>> impossible, so my question is: is it possible to configure in snort 2.9.6.1
>>>> output with unified2 to store reassembled packets ??
>>>>
>>>>  -------------
>>>> BR
>>>> Mateusz
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> ------------
>>> Mateusz
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>>> Find What Matters Most in Your Big Data with HPCC Systems
>>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>>> http://p.sf.net/sfu/hpccsystems
>>>
>>>  _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>>
>>
>>
>> --
>>
>> ------------
>> Mateusz
>>
>
>
>
> --
>
> ------------
> Mateusz
>
>
>


-- 

------------
Mateusz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140627/b31a969e/attachment.html>


More information about the Snort-users mailing list