<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Can you send the pcap off list?<br><br><div>--</div><div><b>Joel Esler</b></div>Sent from my iPhone <span style="background-color: rgba(255, 255, 255, 0);"></span></div><div><br>On Feb 26, 2013, at 8:41 PM, Ruyk <<a href="mailto:lonely.ruyk@...9554...">lonely.ruyk@...9554...</a>> wrote:<br><br></div><blockquote type="cite"><div><span>Hello, list.</span><br><span></span><br><span>I have problem with snort at Ubuntu server 12 (x86_64).</span><br><span>HTTP inspect preprocessor won't handle HTTP packages.</span><br><span></span><br><span>I write test rule in local.rules:</span><br><span></span><br><span>alert tcp any any <> any any (msg:"test alert";content:"GET"; nocase; http_header; classtype:trojan-activity; sid:2000004201;)</span><br><span></span><br><span>then I run snort like this:</span><br><span>/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -r /tmp/test_http_alerts.pcap</span><br><span></span><br><span>where test_http_alerts.pcap contains requests to web server via proxy(3128 port)</span><br><span></span><br><span>But this alert don't triggers and HTTP inspect reports:</span><br><span>    POST methods:                         0</span><br><span>    GET methods:                          0</span><br><span></span><br><span>Files with additional info in attachment.</span><br><span></span><br><span>P.S.: Sorry for my English</span><br></div></blockquote><blockquote type="cite"><div><snort.conf></div></blockquote><blockquote type="cite"><div><snort_output.txt></div></blockquote><blockquote type="cite"><div><span>------------------------------------------------------------------------------</span><br><span>Everyone hates slow websites. So do we.</span><br><span>Make your web apps faster with AppDynamics</span><br><span>Download AppDynamics Lite for free today:</span><br><span><a href="http://p.sf.net/sfu/appdyn_d2d_feb">http://p.sf.net/sfu/appdyn_d2d_feb</a></span></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Snort-users mailing list</span><br><span><a href="mailto:Snort-users@...3054...forge.net">Snort-users@lists.sourceforge.net</a></span><br><span>Go to this URL to change user options or unsubscribe:</span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a></span><br><span>Snort-users list archive:</span><br><span><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a></span><br><span></span><br><span>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></div></blockquote></body></html>