[Snort-devel] Problem with custom preprocessor - FLAG_STREAM_INSERT set in all packets

Arun Koshal akoshal04 at ...2499...
Thu Feb 4 23:20:07 EST 2016


Hi,

I missed to add that I am using Snort version 2.9.8.0.

I am generating HTTP traffic using a python script (using urllib2) and
accessing facebook.com and amazon.com.

Thanks and regards,
Arun

On Thu, Feb 4, 2016 at 8:53 PM, Arun Koshal <akoshal04 at ...2499...> wrote:

> Hi,
>
> I am working on a custom preprocessor which works on HTTP application. The
> preprocessor extracts HTTP method and URI from the client GET requests.
>
> In order to retrieve the method and URI, I am depending on the information
> decoded by the http_inspect preprocessor and I am retrieving the method and
> URI using _dpd.getHttpBuffer() function.
>
> The problem I am facing is - the flag FLAG_STREAM_INSERT is set in all the
> packets because of which I do not have method and URI updated in HTTP
> buffer. I debugged Snort in GDB and could not find any packet having this
> flag clear in any packet inside my preprocessor. Due to this reason my
> preprocessor is not working. I am skipping the packets having
> FLAG_STREAM_INSERT set using following code:
>
>   if (sess->reassembly == 0) {
>     _dpd.streamAPI->set_reassembly(p->stream_session,
> STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_FROM_CLIENT,
> STREAM_FLPOLICY_SET_ABSOLUTE);
>     sess->reassembly = 1;
>   }
>
>   if (p->flags & FLAG_STREAM_INSERT) {
>     PREPROC_PROFILE_END(myproc_perf_stats);
>     return;
>   }
>
> Even when I remove the check on FLAG_STREAM_INSERT, I do not get the
> method and URI populated in HTTP buffer.
>
> I also observed that when I increased the priority of my preprocessor,
> this problem was not happening. But I had to reduce it to
> PRIORITY_APPLICATION so that http_inspect is called before my preprocessor.
>
> It seams the http_inspect is causing some problem. The configuration of
> http_inspect preprocessor is as follows:
>
> # HTTP normalization and anomaly detection.  For more information, see
> README.http_inspect
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535
> preprocessor http_inspect_server: server default \
>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK
> CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
> BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>     chunk_length 500000 \
>     server_flow_depth 0 \
>     client_flow_depth 0 \
>     post_depth 65495 \
>     oversize_dir_length 500 \
>     max_header_length 750 \
>     max_headers 100 \
>     max_spaces 200 \
>     small_chunk_length { 10 5 } \
>     ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809
> 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000
> 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800
> 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002
> 55555 } \
>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>     enable_cookie \
>     extended_response_inspection \
>     inspect_gzip \
>     normalize_utf \
>     unlimited_decompress \
>     normalize_javascript \
>     apache_whitespace no \
>     ascii no \
>     bare_byte no \
>     directory no \
>     double_decode no \
>     iis_backslash no \
>     iis_delimiter no \
>     iis_unicode no \
>     multi_slash no \
>     utf_8 no \
>     u_encode yes \
>     webroot no
>
> Please let me know if I need to do something to use http-inspect
> preprocessor HTTP buffers for different HTTP parameters.
>
> Any suggestion to resolve the issue will really be great help.
>
> Thanks and regards,
> Arun
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160205/056d30a5/attachment.html>


More information about the Snort-devel mailing list