[Snort-users] Snort 2.9.13 not recognizing server response in PCAP.

Al Lewis (allewi) allewi at cisco.com
Fri May 31 10:36:32 EDT 2019

Is port 8080 within your stream and http preprocessors?

Can you share the pcap?

Albert Lewis
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of My Account via Snort-users <snort-users at lists.snort.org>
Reply-To: My Account <researchitdammit at gmail.com>
Date: Friday, May 31, 2019 at 10:26 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] Snort 2.9.13 not recognizing server response in PCAP.


I have a situation where snort does not appear to be recognizing packets that I have in a PCAP. The packet in question is a simple HTTP server response. The rule is setup to read content in the packet.

The server port is 8080. At this point, I can not figure out which configuration setting to change to get snort to parse the server response.

Sample Rule:
alert tcp any any -> any any \
( \
 msg: "Alert"; \
flow:from_server,established; \
content:"password"; \
sid:6000002; rev:1; \

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190531/c04ec7cb/attachment.html>

More information about the Snort-users mailing list