[Snort-users] Strange HTTP results

Joel Esler jesler at ...1935...
Sun Dec 16 12:34:50 EST 2012


Can you get us a pcap to troubleshoot with?

--
Joel Esler
Sent from my iPhone 

On Dec 15, 2012, at 10:21 PM, Michael Papagiorgio <mrapagiorgio at ...11827...> wrote:

> Dear snort gurus,
> 
> I am trying to see why a rule didn't fire on a snort 2.9.4 system, but it does on a different system running snort 2.9.2.1.  I am reading from the same pcap file on each system.  The rule hits on a certain HTTP POST pattern.  The 2.9.2.1 system correctly identifies and throws an alert.  2.9.4 doesn't even see any HTTP POSTs in the pcap at all.  I upgraded from 2.9.3.2 to to 2.9.4 to see if I could get it to work, but neither  version worked.  The rule will never fire if the issue is so low level that snort sees no POSTs.  I tried using the working 2.9.2.1 snort.conf on the 2.9.4 system, but that didn't work either.
> 
> Can someone give me an idea where to look, this is really vexing me.
> 
> Output from the runs:
> 
> works:
> 
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.2.1 IPv6 (Build 107)
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.2.1
>            Using PCRE version: 8.21 2011-12-12
>            Using ZLIB version: 1.2.3.4
> 
> ===============================================================================
> Packet I/O Totals:
>    Received:        18027
>    Analyzed:        18027 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>         Eth:        21082 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:        21082 (100.000%)
>        Frag:            0 (  0.000%)
>        ICMP:            0 (  0.000%)
>         UDP:            0 (  0.000%)
>         TCP:        21082 (100.000%)
>         IP6:            0 (  0.000%)
>     IP6 Ext:            0 (  0.000%)
>    IP6 Opts:            0 (  0.000%)
>       Frag6:            0 (  0.000%)
>       ICMP6:            0 (  0.000%)
>        UDP6:            0 (  0.000%)
>        TCP6:            0 (  0.000%)
>      Teredo:            0 (  0.000%)
>     ICMP-IP:            0 (  0.000%)
>       EAPOL:            0 (  0.000%)
>        MPLS:            0 (  0.000%)
>         ARP:            0 (  0.000%)
>         IPX:            0 (  0.000%)
>    Eth Loop:            0 (  0.000%)
>    Eth Disc:            0 (  0.000%)
>    IP4 Disc:            0 (  0.000%)
>    IP6 Disc:            0 (  0.000%)
>    TCP Disc:            0 (  0.000%)
>    UDP Disc:            0 (  0.000%)
>   ICMP Disc:            0 (  0.000%)
> All Discard:            0 (  0.000%)
>       Other:            0 (  0.000%)
> Bad Chk Sum:            0 (  0.000%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:            0 (  0.000%)
>      S5 G 2:         3055 ( 14.491%)
>       Total:        21082
> ===============================================================================
> Action Stats:
>      Alerts:         3050 ( 14.467%)
>      Logged:         3050 ( 14.467%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:        18027 (100.000%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
> ===============================================================================
> Frag3 statistics:
>         Total Fragments: 0
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>                   Drops: 0
>      FragTrackers Added: 0
>     FragTrackers Dumped: 0
> FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 0
>      Frag Nodes Deleted: 0
> ===============================================================================
> Stream5 statistics:
>             Total sessions: 3124
>               TCP sessions: 3124
>               UDP sessions: 0
>              ICMP sessions: 0
>                IP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
>                  IP Prunes: 0
> TCP StreamTrackers Created: 3124
> TCP StreamTrackers Deleted: 3124
>               TCP Timeouts: 875
>               TCP Overlaps: 0
>        TCP Segments Queued: 3055
>      TCP Segments Released: 3055
>        TCP Rebuilt Packets: 3051
>          TCP Segments Used: 3051
>               TCP Discards: 196
>                   TCP Gaps: 215
>       UDP Sessions Created: 0
>       UDP Sessions Deleted: 0
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 45
>            Internal Events: 0
>            TCP Port Filter
>                    Dropped: 0
>                  Inspected: 0
>                    Tracked: 18027
>            UDP Port Filter
>                    Dropped: 0
>                  Inspected: 0
>                    Tracked: 0
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         3098
>     GET methods:                          1
>     HTTP Request Headers extracted:       3098
>     HTTP Request Cookies extracted:       0
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      0
>     HTTP Response Cookies extracted:      0
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              6154
> ===============================================================================
> dcerpc2 Preprocessor Statistics
>   Total sessions: 0
> ===============================================================================
> ===============================================================================
> Snort exiting
> 
> 
> 
> 
> doesn't work:
> 
> 
> 
> 
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4 (Build 40)
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.2.1
>            Using PCRE version: 8.30 2012-02-04
>            Using ZLIB version: 1.2.3.4
> 
> 
> 
> 
> Packet I/O Totals:
>    Received:        18027
>    Analyzed:        18027 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>         Eth:        21082 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:        21082 (100.000%)
>        Frag:            0 (  0.000%)
>        ICMP:            0 (  0.000%)
>         UDP:            0 (  0.000%)
>         TCP:        21082 (100.000%)
>         IP6:            0 (  0.000%)
>     IP6 Ext:            0 (  0.000%)
>    IP6 Opts:            0 (  0.000%)
>       Frag6:            0 (  0.000%)
>       ICMP6:            0 (  0.000%)
>        UDP6:            0 (  0.000%)
>        TCP6:            0 (  0.000%)
>      Teredo:            0 (  0.000%)
>     ICMP-IP:            0 (  0.000%)
>       EAPOL:            0 (  0.000%)
>        MPLS:            0 (  0.000%)
>         ARP:            0 (  0.000%)
>         IPX:            0 (  0.000%)
>    Eth Loop:            0 (  0.000%)
>    Eth Disc:            0 (  0.000%)
>    IP4 Disc:            0 (  0.000%)
>    IP6 Disc:            0 (  0.000%)
>    TCP Disc:            0 (  0.000%)
>    UDP Disc:            0 (  0.000%)
>   ICMP Disc:            0 (  0.000%)
> All Discard:            0 (  0.000%)
>       Other:            0 (  0.000%)
> Bad Chk Sum:            0 (  0.000%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:            0 (  0.000%)
>      S5 G 2:         3055 ( 14.491%)
>       Total:        21082
> ===============================================================================
> Action Stats:
>      Alerts:            0 (  0.000%)
>      Logged:            0 (  0.000%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:        18027 (100.000%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
> ===============================================================================
> Frag3 statistics:
>         Total Fragments: 0
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>                   Drops: 0
>      FragTrackers Added: 0
>     FragTrackers Dumped: 0
> FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 0
>      Frag Nodes Deleted: 0
> ===============================================================================
> Stream5 statistics:
>             Total sessions: 3124
>               TCP sessions: 3124
>               UDP sessions: 0
>              ICMP sessions: 0
>                IP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
>                  IP Prunes: 0
> TCP StreamTrackers Created: 3124
> TCP StreamTrackers Deleted: 3124
>               TCP Timeouts: 875
>               TCP Overlaps: 0
>        TCP Segments Queued: 3055
>      TCP Segments Released: 3055
>        TCP Rebuilt Packets: 3051
>          TCP Segments Used: 3051
>               TCP Discards: 196
>                   TCP Gaps: 0
>       UDP Sessions Created: 0
>       UDP Sessions Deleted: 0
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 1195
>            Internal Events: 0
>            TCP Port Filter
>                    Dropped: 0
>                  Inspected: 0
>                    Tracked: 18027
>            UDP Port Filter
>                    Dropped: 0
>                  Inspected: 0
>                    Tracked: 0
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          0
>     HTTP Request Headers extracted:       0
>     HTTP Request Cookies extracted:       0
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      0
>     HTTP Response Cookies extracted:      0
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              6154
> ===============================================================================
> SMTP Preprocessor Statistics
>   Total sessions                                    : 0
>   Max concurrent sessions                           : 0
> ===============================================================================
> dcerpc2 Preprocessor Statistics
>   Total sessions: 0
> ===============================================================================
> ===============================================================================
> Snort exiting
> 
> 
> 
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121216/2d4c68e6/attachment.html>


More information about the Snort-users mailing list