Re: http_header not working

[waldo kitty <wkitty42 () windstream net>]

On 9/29/2014 7:52 AM, NIDS TEAM wrote:
> So I just compiled Snort with --enable-sourcefire.
>
> Snort runs with the following rule:
> alert tcp any any <> any any (msg:"TEST HOST alert"; content:"google"; http_uri;
> gid:1; sid:99999; rev:2;)

are you saying that you have no other rules at all? only this one rule plus the 
built-in ones in the internal functions?

> I then do one single request to www.google.com/mail
>
> The following request is visible with Snort (I do not copy all the SYN/ACK packets):

[trim]

> It looks like the http_inspect preprocessor doesn't do anything here, besides
> passing the packet.
>
> The http_inspect configuration is identical to:
> http://labs.snort.org/snort/2962/snort.conf

what do you expect to see from the http_inspect preprocessor? where do you 
expect to see it emitted?

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!