[Snort-users] Snort 2.9.13 not recognizing server response in PCAP.
Al Lewis (allewi)
allewi at cisco.com
Fri May 31 10:36:32 EDT 2019
Is port 8080 within your stream and http preprocessors?
Can you share the pcap?
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>
From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of My Account via Snort-users <snort-users at lists.snort.org>
Reply-To: My Account <researchitdammit at gmail.com>
Date: Friday, May 31, 2019 at 10:26 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] Snort 2.9.13 not recognizing server response in PCAP.
I have a situation where snort does not appear to be recognizing packets that I have in a PCAP. The packet in question is a simple HTTP server response. The rule is setup to read content in the packet.
The server port is 8080. At this point, I can not figure out which configuration setting to change to get snort to parse the server response.
alert tcp any any -> any any \
msg: "Alert"; \
sid:6000002; rev:1; \
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users