[Snort-devel] HTTP INSPECT fails on Mirror Port

Russ Combs (rucombs) rucombs at ...3461...
Tue Aug 5 15:18:09 EDT 2014


________________________________________
From: Anand Raj Manickam [anandrm at ...2499...]
Sent: Tuesday, August 05, 2014 4:05 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...1954...orge.net
Subject: Re: HTTP INSPECT fails on Mirror Port

> * You have something weird going on.  Now 6 are are eth:ip4:tcp and 4 are eth:other.  Previously they were eth:ip4:other.
>
> * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can catch it and see what's up.  You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.

I have the gdb breaks set , i see that in Live packet capture mode ,
there appears to be a internal fragmentation of the packet though the
MTU is 1500, the max size of packet in this capture is only 556.
If you look at the pkt structs data , i see Characters  . But when i
played with pcap , i never saw character data. ( this is the reason
why pcap works )

* The problem does not appear to be with the length.  Your 556 byte server response is the actual, full size:

eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556

* You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer protocol is.  That is why decode is failing in these functions.

* For example, in the eth function you can execute this command:

p /x p->eh->ether_type

* And in the ip4 function you can execute this command:

p /x proto

I have the GDB dump below , with bt .

I have turned off all offload settings

# ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: off


Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
650 {
(gdb) bt
#0  DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620,
pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
#1  0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0)
    at snort.c:1821
#2  0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620,
pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704
#3  0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW",
pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n")
    at daq_pcap.c:361
#4  0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8,
max_packets=0, callback=0x5666f400 <pcap_process_loop>,
user=0x57628770 "(\211bW") at ./pcap-linux.c:4071
#5  0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0,
callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at
./pcap.c:497
#6  0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0,
callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at
daq_pcap.c:379
#7  0x5666eb1b in daq_acquire_with_meta (module=0x566bba60
<pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830
<PacketCallback>, metaback=0x0, user=0x0)
    at daq_mod_ops.c:133
#8  0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830
<PacketCallback>, user=0x0) at sfdaq.c:540
#9  0x565933bf in PacketLoop () at snort.c:3210
#10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907
#11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650
650 {
(gdb) c
Continuing.
c








More information about the Snort-devel mailing list