[Snort-users] tag:session problem

Maxim hittlle at ...7427...
Thu Nov 24 20:28:13 EST 2016

Hi snort team,
I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of the same session if the attacker triggers this rule
             alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;) 
The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as follows
              snort -c /etc/snort/snort.conf -D 
after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request and response packets as expected. Then I use postman to send the same 
HTTP request again, this time, I only see the request packet, but cannot find the response packet. I checked the stream5_tcp configuration items, and there is only a timeout item which I think
has something to do with this, I updated it from 180 seconds to 30 seconds and then omitted it and tried again, but I failed. Am I missing anything? Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161125/9879306d/attachment.html>

More information about the Snort-users mailing list