[Snort-users] snort3: problem with http_inspect

Tom Peters (thopeter) thopeter at ...589...
Mon Feb 27 11:39:04 EST 2017


Marcin,

I¹m coming into this in the middle and apologies in advance if I have
misunderstood.

You should not configure http_inspect (the new HTTP inspector) and
http_server (the old HTTP inspector) at the same time. One or the other
should be commented out in snort.lua by -- or deleted entirely.

Tom



On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak at ...11827...> wrote:

>Hi,
>
>I have a problem with http_inspect,
>https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a
>73d3bf0438
>
>I make an HTTP request against the machine running snort/nfqueue:
>
># curl -s -m 1 http://192.168.17.30/test
>
>and expect my sid:3000001 (see below) to be triggered, but only
>sid:4000003
>is triggered instead.
>My question is what am I missing to trigger sid:3000001 with the new
>http_inspect?
>
>Now, when in /etc/snort/snort.lua I use
>-- http_inspect = { }
>http_server = { }
>
>then all but sid:4000001 are triggered:





More information about the Snort-users mailing list