[Snort-users] Snort HTTP Inspect

Russ Combs rcombs at ...1935...
Tue Jun 4 15:35:07 EDT 2013


What do the shutdown stats show?  You may need to add -k none to your
command line.

On Tue, Jun 4, 2013 at 3:19 PM, Joel Esler <jesler at ...1935...> wrote:

> Can you send the pcap so we can look at what you are seeing?
>
> On Jun 4, 2013, at 12:22 PM, Zubair Rafique <m_zubair_rafique at ...131...>
> wrote:
>
> Hi,
>
> I am using following configuration file to use snort in IDS mode.
> Unfortunately, it appears that Snort is only inspecting http responses and
> not the requests. Am, I  missing something here?
>
> # Inline packet normalization. For more information, see README.normalize
> # Does nothing in IDS mode
> preprocessor normalize_ip4
> preprocessor normalize_tcp: ips ecn stream
> preprocessor normalize_icmp4
> preprocessor normalize_ip6
> preprocessor normalize_icmp6
>
> # Target-based IP defragmentation.  For more inforation, see README.frag3
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy windows detect_anomalies overlap_limit
> 10 min_fragment_length 100 timeout 180
>
> # Target-Based stateful inspection/stream reassembly.  For more
> inforation, see README.stream5
> preprocessor stream5_global: track_tcp yes, \
>    track_udp yes, \
>    track_icmp no, \
>    max_tcp 262144, \
>    max_udp 131072, \
>    max_active_responses 2, \
>    min_response_seconds 5
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>     ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137
> 139 143 \
>         161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665
> 6666 6667 6668 6669 \
>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
> 32779, \
>     ports both 80 81 82 83 84 85 86 87 88 89 110 311 383 443 465 563 591
> 593 631 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3057
> 3128 3702 4343 4848 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777
> 7779 \
>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
> 7913 7914 7915 7916 \
>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118
> 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091
> 9443 9999 10000 11371 34443 34444 41080 50002 55555
> preprocessor stream5_udp: timeout 180
>
> # performance statistics.  For more information, see the Snort Manual,
> Configuring Snort - Preprocessors - Performance Monitor
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
> 10000
>
> # HTTP normalization and anomaly detection.  For more information, see
> README.http_inspect
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535 max_gzip_mem 104857600
> preprocessor http_inspect_server: server default \
>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK
> CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
> BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>     chunk_length 500000 \
>     server_flow_depth 300 \
>     client_flow_depth 300 \
>     post_depth 65495 \
>     oversize_dir_length 500 \
>     max_header_length 750 \
>     max_headers 100 \
>     max_spaces 200 \
>     small_chunk_length { 10 5 } \
>     ports { 80 81 82 83 84 85 86 87 88 89 311 383 591 593 631 901 1220
> 1414 1741 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988
> 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090
> 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080
> 9090 9091 9443 9999 10000 11371 34443 34444 41080 50002 55555 } \
>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>     enable_cookie \
>     extended_response_inspection \
>     inspect_gzip \
>     normalize_utf \
>     unlimited_decompress \
>     normalize_javascript \
>     apache_whitespace no \
>     ascii no \
>     bare_byte no \
>     directory no \
>     double_decode no \
>     iis_backslash no \
>     iis_delimiter no \
>     iis_unicode no \
>     multi_slash no \
>     utf_8 no \
>     u_encode yes \
>     webroot no
>
>
>
> Command line: sudo /usr/local/snort/bin/snort  -i eth0 -c
> /usr/local/snort/etc/snort.conf -l /var/log/snort/ -A fast  -I -L sig.pcap
>
>
> The output for HTTP is like
>
>
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          0
>     HTTP Request Headers extracted:       0
>     HTTP Request Cookies extracted:       0
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      1
>     HTTP Response Cookies extracted:      0
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              13
>
> ===============================================================================
>
>
> It seems like it has inspected the response successfully and can not do
> any thing about request. A simple rule with "http_method" is not firing any
> alert. Any ideas about it!
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
>
> http://p.sf.net/sfu/servicenow-d2d-j_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130604/bfcbc2f6/attachment.html>


More information about the Snort-users mailing list