[Snort-users] http_header not working
wkitty42 at ...14940...
Mon Sep 29 10:56:20 EDT 2014
On 9/29/2014 7:52 AM, NIDS TEAM wrote:
> So I just compiled Snort with --enable-sourcefire.
> Snort runs with the following rule:
> alert tcp any any <> any any (msg:"TEST HOST alert"; content:"google"; http_uri;
> gid:1; sid:99999; rev:2;)
are you saying that you have no other rules at all? only this one rule plus the
built-in ones in the internal functions?
> I then do one single request to www.google.com/mail
> The following request is visible with Snort (I do not copy all the SYN/ACK packets):
> It looks like the http_inspect preprocessor doesn't do anything here, besides
> passing the packet.
> The http_inspect configuration is identical to:
what do you expect to see from the http_inspect preprocessor? where do you
expect to see it emitted?
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users