[Snort-users] Snort 2.9.13 not recognizing server response in PCAP.

My Account researchitdammit at gmail.com
Thu May 30 13:04:42 EDT 2019


I have a situation where snort does not appear to be recognizing packets
that I have in a PCAP. The packet in question is a simple HTTP server
response. The rule is setup to read content in the packet.

The server port is 8080. At this point, I can not figure out which
configuration setting to change to get snort to parse the server response.

Sample Rule:
alert tcp any any -> any any \
( \
 msg: "Alert"; \
flow:from_server,established; \
content:"password"; \
sid:6000002; rev:1; \

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190530/b7c0220b/attachment.html>

More information about the Snort-users mailing list