[Snort-users] Question: Snort-Alerts do not fire when traffic goesthru proxy

Victor Roemer viroemer at ...589...
Fri Mar 27 14:29:35 EDT 2015


Claus,

Is your proxy injecting additional headers into the HTTP traffic? (usual 
suspect). Try bumping the "server_flow_depth" and "client_flow_depth" 
values in your Snort configuration.

On 03/23/15 10:07, Claus Regelmann wrote:
> Message was discarded by filter '\Custom\Strong\PHP' on line 2
>
> Envelope (RCP file content):
> Message-ID: B0439260505 at ...17123...
> Return-path: snort-users-bounces at lists.sourceforge.net
> Received-From-MTA: lists.sourceforge.net (unverified [216.34.181.88])
> Arrival-Date: 1426729877 (Wed, 18 Mar 2015 21:51:17 -0400)
> Origin-IP: 216.34.181.88
> X-Modus-WasEncrypted: YES
> X-Modus-BlackList: 216.34.181.88=OK;snort-users-bounces at lists.sourceforge.net=OK
> X-Modus-RBL: 216.34.181.88=OK
> X-Modus-Trusted: 216.34.181.88=NO
> X-Modus-Audit: TRUE;5;-28051960418533861;130716210777740000
> X-CustID: 687
> X-Modus-BuildNumber: 214.18364
> DomainKey-Status: 0
> Resolved-Return-path: snort-users-bounces at lists.sourceforge.net
> X-Modus-BATV: OFF
> X-Modus-SRSRBL: OK
> X-Sender-Origin: EXTERNAL
>
> Recipient: brownr at ...17124...
> Original-Address: brownr at ...17124...
> Dsn-Original-Recipient: rfc822;brownr at ...17124...
> Local-Status: Incoming
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150327/f4936b3a/attachment.html>


More information about the Snort-users mailing list