[Snort-users] snort3: problem with http_inspect

Tom Peters (thopeter) thopeter at ...589...
Mon Feb 27 11:39:04 EST 2017


I¹m coming into this in the middle and apologies in advance if I have

You should not configure http_inspect (the new HTTP inspector) and
http_server (the old HTTP inspector) at the same time. One or the other
should be commented out in snort.lua by -- or deleted entirely.


On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak at ...11827...> wrote:

>I have a problem with http_inspect,
>I make an HTTP request against the machine running snort/nfqueue:
># curl -s -m 1
>and expect my sid:3000001 (see below) to be triggered, but only
>is triggered instead.
>My question is what am I missing to trigger sid:3000001 with the new
>Now, when in /etc/snort/snort.lua I use
>-- http_inspect = { }
>http_server = { }
>then all but sid:4000001 are triggered:

More information about the Snort-users mailing list