[Snort-users] enable_xff with Snort

Balasubramaniam Natarajan bala150985 at ...11827...
Sun Sep 22 06:30:59 EDT 2013


Hi

I have been trying to configure snort's http_inspect for sometime now with
out any success.

excerpt from snort.conf

*# HTTP normalization and anomaly detection.  For more information, see
README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
compress_depth 65535 decompress_depth 65535

preprocessor http_inspect_server: server { 10.0.0.0/8 192.168.1.0/24
192.168.56.0/24 } \
             profile all ports { 80 81 82 83 84 85 86 87 88 89 90 311 383
591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702
4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014
8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800
8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080
50000 50002 55555 } enable_xff*

Here you can see that I have turned on enable_xff.

While running snort I can see that "Enable XFF and True Client IP: YES"

*HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /store/snort/etc/unicode.map
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip Sessions: 9532
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
    SERVER: 10.0.0.0/8 192.168.1.0/24 192.168.56.0/24
      Server profile: All
      Ports (PAF): 80 81 82 83 84 85 86 87 88 89 90 311 383 591 593 631 901
1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250
6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085
8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000
9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080 50000 50002
55555
      Server Flow Depth: 300
      Client Flow Depth: 300
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Max Number of WhiteSpaces allowed with header folding: 200
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 0
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Inspect HTTP Cookies: NO
      Inspect HTTP Responses: NO
      Extract Gzip from responses: NO
      Unlimited decompression of gzip data from responses: NO
      Normalize Javascripts in HTTP Responses: NO
      Normalize HTTP Cookies: NO
      Enable XFF and True Client IP: YES
      Log HTTP URI data: NO
      Log HTTP Hostname data: NO
      Extended ASCII code support in URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
    DEFAULT SERVER CONFIG:*

Now I try to generate an alert by going to test.com using the command shown

$ wget  -U ".Debian.APT-HTTP/1.3.(0.9.7.7ubuntu4)" test.com

For some strange reason I cannot get snort to log ExtraData for the True
Client IP.

# u2spewfoo /tmp/log/snort.alert.log.1379845107

*(Event)
    sensor id: 0    event id: 1    event second: 1379845237    event
microsecond: 165224
    sig id: 2013504    gen id: 1    revision: 3     classification: 1
    priority: 3    ip source: 10.0.2.15    ip destination: 174.36.85.72
    src port: 60145    dest port: 80    protocol: 6    impact_flag: 0
blocked: 0

Packet
    sensor id: 0    event id: 1    event second: 1379845237
    packet second: 1379845237    packet microsecond: 165224
    linktype: 1    packet_length: 272
[    0] 52 54 00 12 35 02 08 00 27 EE 1B A6 08 00 45 00  RT..5...'.....E.
[   16] 01 02 BA 59 40 00 40 06 70 21 0A 00 02 0F AE 24  ...Y at ...843...@.p!.....$
[   32] 55 48 EA F1 00 50 88 D7 92 2E AE CB 12 02 50 18  UH...P........P.
[   48] 39 08 10 70 00 00 47 45 54 20 2F 20 48 54 54 50  9..p..GET / HTTP
[   64] 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74  /1.1..User-Agent
[   80] 3A 20 2E 44 65 62 69 61 6E 2E 41 50 54 2D 48 54  : .Debian.APT-HT
[   96] 54 50 2F 31 2E 33 2E 28 30 2E 39 2E 37 2E 37 75  TP/1.3.(0.9.7.7u
[  112] 62 75 6E 74 75 34 29 0D 0A 41 63 63 65 70 74 3A  buntu4)..Accept:
[  128] 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 74 65 73 74   */*..Host: test
[  144] 2E 63 6F 6D 0D 0A 56 69 61 3A 20 31 2E 31 20 6C  .com..Via: 1.1 l
[  160] 6F 63 61 6C 68 6F 73 74 20 28 73 71 75 69 64 2F  ocalhost (squid/
[  176] 33 2E 31 2E 32 30 29 0D 0A 58 2D 46 6F 72 77 61  3.1.20)..X-Forwa
[  192] 72 64 65 64 2D 46 6F 72 3A 20 31 39 32 2E 31 36  rded-For: 192.16
[  208] 38 2E 31 2E 32 0D 0A 43 61 63 68 65 2D 43 6F 6E  8.1.2..Cache-Con
[  224] 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 32 35  trol: max-age=25
[  240] 39 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E  9200..Connection
[  256] 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A  : keep-alive....
*


-- 
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130922/0134dbc5/attachment.html>


More information about the Snort-users mailing list