Closed BIIIANG closed 6 months ago
Hi,
First of all, thanks for using traces. From the logs I see that search_engine.detect_raw_tcp is enabled.
Normally, Snort3 evaluates IPS rules against rebuilt packets only (PDU, whatever makes sense for the inspected protocol). The detect_raw_tcp option forces rule evaluation for raw packets (the one you can see on the wire).
Thus, you see two alerts (the 1st one from the raw packet, and the 2nd alert from the rebuilt packet). Check the final statistics: detection analyzed: 262 raw_searches: 1 -- wire packet cooked_searches: 2 -- PDU
You can find more user questions/answers at snort-users@lists.snort.org (Snort-users mailing list): https://lists.snort.org/mailman/listinfo/
Github is mainly for issues found in the source code.
Hello. I'm doing some research using snort. I found that when I instrumented some packets using one specific HTTP rule (with no sticky buffer), two alerts were generated. Further testing revealed that some packets can even trigger three alerts. Is this normal?
Snort Version
HTTP rule (Line 1473 in the Community rules)
HTTP Packages
The HTTP package is sent by the following script, and before running this script, a simple HTTP server is started by
python -m http.server 8080
.Trace message of snort
The 2 alerts:
Rule with sticky buffer
When I test using rules with sticky buffer (like the following one), the number of alerts generated does not exceed 1.
I want to know if this situation is normal when detecting HTTP packets. Thanks.