RE: [Snort-inline-users] uricontent matching v2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> I think that they made this change in the snort 2.1.x series of snort.  I
> tried to enable the http_inspect preprocessor just to see if it would
> successfully decode and drop packets, and it appears to be broken.  Can
> somebody running snort_inline-2.1.1 try this?  you should be able to test
> do something like the following replacing "somewebsite" with a test server
> or your web server.  You should always get a "page cannot be displayed"
> rather than a "page could not be found", i.e. these requests should never
> make it to the webserver.  The rule numbers in order are 1072 1078 1073,
> all of them come out of the web-misc.rules
>

I would recommend we do our troubleshooting by removing as much complexity
as possible; therefore, can we verify that snort (NOT snort_inline) with
the http_inspect preproc will decode and alert on uricontent first?

Thanks in advance,

Rob

P.S.  my apologies for not doing it myself, but I am trying to meet a
deadline with another project.