[Snort-users] Snort 2.9.13 not recognizing server response in PCAP.

My Account researchitdammit at gmail.com
Fri May 31 23:04:48 EDT 2019


Hi Al,

Thanks for the response. Unfortunately, I can not share the PCAP. Port 8080
is in the HTTP stream. How would I check for the proper http preprocessors?

Interestingly, when i removed *established *from the rule, it worked. I am
not sure why because the server responded with a HTTP OK.

Thanks.

On Fri, May 31, 2019 at 10:36 AM Al Lewis (allewi) <allewi at cisco.com> wrote:

> Is port 8080 within your stream and http preprocessors?
>
>
>
> Can you share the pcap?
>
>
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> Cisco Systems Inc.
>
> Email: allewi at cisco.com
>
>
>
>
>
>
>
> *From: *Snort-users <snort-users-bounces at lists.snort.org> on behalf of My
> Account via Snort-users <snort-users at lists.snort.org>
> *Reply-To: *My Account <researchitdammit at gmail.com>
> *Date: *Friday, May 31, 2019 at 10:26 AM
> *To: *"snort-users at lists.snort.org" <snort-users at lists.snort.org>
> *Subject: *[Snort-users] Snort 2.9.13 not recognizing server response in
> PCAP.
>
>
>
> Hi,
>
>
>
> I have a situation where snort does not appear to be recognizing packets
> that I have in a PCAP. The packet in question is a simple HTTP server
> response. The rule is setup to read content in the packet.
>
>
>
> The server port is 8080. At this point, I can not figure out which
> configuration setting to change to get snort to parse the server response.
>
>
>
> Sample Rule:
>
> alert tcp any any -> any any \
>
> ( \
>
>  msg: "Alert"; \
>
> flow:from_server,established; \
>
> content:"password"; \
>
> sid:6000002; rev:1; \
>
> )
>
>
>
>
>
> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190531/72939fa6/attachment.html>


More information about the Snort-users mailing list