I'm using Snort 2.9 on windows server 2008 R2 x64, with a very simple configuration that goes like this:
# Entire content of Snort.conf:
alert tcp any any -> any any (sid:5000000; content:"_secret_"; msg:"TRIGGERED";)
# command line:
snort.exe -c etc/Snort.conf -l etc/log -A console
Using my browser, I send the string "_secret_" in the url to my server (where Snort is located). Example: http://myserver.com/index.php?_secret_
Snort receives it and throws an alert, it works, no problem ! But when I try something like this :
<?php // (index.php)
header('XTest: _secret_'); // header
echo '_secret_'; // data
?>
If I just request http://myserver.com/index.php, it does not work or detect anything from the outgoing traffic even though the php file is sending the same string both in headers and in data, with no compression/encoding or whatsoever. (I checked using Wireshark)
This looks to me like a Snort problem. No matter what I do it only detects receiving packets. Did anyone ever face this sort of problems with Snort ? Any idea how to fix it ?
Best Answer
After 6 painfull hours of trying everything, I finally fixed it !
Just needed to add
-k noneto the command line.For some reason, in my desktop pc it works without the
-k noneparametre. If someone care to explain what is going on, that would be very helpfull. Thanks.