[Snort-users] http_header not working

NIDS TEAM nidsteam at ...11827...
Mon Sep 29 11:57:56 EDT 2014


Indeed we only have this one rule for testing at the moment. I would expect
HTTP Inspect to have extracted a GET request and a HTTP Request Header.

We just found a solution to this problem, or rather the problem behind.
Figuring out the differences between Test installations and the real sensor
we found that the real network uses VLAN tags. While searching the web for
VLAN related snort issues, we found various possible traps with VLAN e.g.
http://seclists.org/snort/2010/q3/768. HTTP request and reply are indeed in
a different VLAN which confuses the Stream5 preprocessor.

Thus we successfully verified that we get alerts using 'config
vlan_agnostic'. Nevertheless, this rather should be fixed on the switches
which export the traffic.

Thanks for your support!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140929/6395c9fe/attachment.html>


More information about the Snort-users mailing list