Hosting Provided By

Re: [Snort-devel] Snort not detecting some rules

From: Daniel J. Roelker <droelker(at)sourcefire.com>
Date: Fri Mar 19 2004 - 10:48:37 EST

Your problem is with web rules that look for content in HTTP server response payloads. This is because the http_inspect preprocessor, and previously the httpflow preprocessor, processes the HTTP response headers and ignores most of the response payload. We do this for performance reasons since we only have a few rules (excluding the 10 or so in porn) that actually even look at the response payload.

Try adding flow_depth 0 (which turns on complete http response inspection) to the end your "http_inspect: server default" line.

Dan

On Thu, 2004-03-18 at 12:22, Ian S. Nelson wrote:
>
> I've been kicking this around with snort 2.1. I've got streams of data

-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Received on Fri Mar 19 19:58:42 2004

This message: [ Message body ]
Next message: Dorin H.: "[Snort-devel] frag2"
Previous message: SourceForge.net: "[Snort-devel] [ snort-Support Requests-918892 ] newbie - snort with two network cards"
In reply to Ian S. Nelson: "[Snort-devel] Snort not detecting some rules"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT