[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] http_header usage
From: Cagri Ersen <cagri.ersen () gmail ! com>
Date: 2014-04-22 14:44:04
Message-ID: CAFb3KasWzk-cDDhN-HwLyEi7D=GYCJp3kk_a6vVToM+CkFx_ow () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tue, Apr 22, 2014 at 4:18 PM, lists@packetmail.net
<lists@packetmail.net>wrote:
> I'm pretty sure that based on those configuration directives with values
> being
> set to zero you've effectively disabled the http_* buffers.
>
I've tried that with none-zero values too, but there is no any progress. I
think I just figure out the problem. It seems it's related with VMware.
This setup is running on a vmware fusion instance and http_keywords don't
work at all, but if I run the same setup with same conf on a physical
server then it works! (I can capture the traffic on the vm guest by using
tcpdump or wireshark without any problem, so it shouldn't be an issue with
"sniffing".)
I've tried it on VMWare Fusion and ESX 5.0 hosts and both of them have the
same problem with http_* keywords.
--
Cagri Ersen
http://www.syslogs.org
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 22, \
2014 at 4:18 PM, <a href="mailto:lists@packetmail.net">lists@packetmail.net</a> <span \
dir="ltr"><<a href="mailto:lists@packetmail.net" \
target="_blank">lists@packetmail.net</a>></span> wrote:<br>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div \
class="">I'm pretty sure that based on those configuration directives with values \
being<br>
</div>
set to zero you've effectively disabled the http_* \
buffers.<br></blockquote><div><br></div><div><br></div><div>I've tried that with \
none-zero values too, but there is no any progress. I think I just figure out the \
problem. It seems it's related with VMware. <div>
This setup is running on a vmware fusion instance and http_keywords don't work at \
all, but if I run the same setup with same conf on a physical server then it works! \
(I can capture the traffic on the vm guest by using tcpdump or wireshark without any \
problem, so it shouldn't be an issue with "sniffing".)<br>
</div><div><br></div><div>I've tried it on VMWare Fusion and ESX 5.0 hosts and \
both of them have the same problem with http_* keywords.</div></div></div><br \
clear="all"><div><br></div>-- <br>Cagri Ersen<br><a \
href="http://www.syslogs.org">http://www.syslogs.org</a><br>
</div></div>
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic