Re: http_header not working

[NIDS TEAM <nidsteam () gmail com>]

Indeed we only have this one rule for testing at the moment. I would expect
HTTP Inspect to have extracted a GET request and a HTTP Request Header.

We just found a solution to this problem, or rather the problem behind.
Figuring out the differences between Test installations and the real sensor
we found that the real network uses VLAN tags. While searching the web for
VLAN related snort issues, we found various possible traps with VLAN e.g.
http://seclists.org/snort/2010/q3/768. HTTP request and reply are indeed in
a different VLAN which confuses the Stream5 preprocessor.

Thus we successfully verified that we get alerts using 'config
vlan_agnostic'. Nevertheless, this rather should be fixed on the switches
which export the traffic.

Thanks for your support!

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!