[Snort-users] enable_xff with Snort

Balasubramaniam Natarajan bala150985 at ...11827...
Mon Sep 23 09:27:22 EDT 2013


Here they are......

I am on snort version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.5.3 GRE (Build 132)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.7


On Mon, Sep 23, 2013 at 7:39 AM, Bhagya Bantwal <bbantwal at ...1935...>wrote:

> What is the snort version being used? Also what does your stream5 config
> look like?
>
> Thanks!
> -B
>
>
> On Sun, Sep 22, 2013 at 6:30 AM, Balasubramaniam Natarajan <
> bala150985 at ...11827...> wrote:
>
>> Hi
>>
>> I have been trying to configure snort's http_inspect for sometime now
>> with out any success.
>>
>> excerpt from snort.conf
>>
>> *# HTTP normalization and anomaly detection.  For more information, see
>> README.http_inspect
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> compress_depth 65535 decompress_depth 65535
>>
>> preprocessor http_inspect_server: server { 10.0.0.0/8 192.168.1.0/24
>> 192.168.56.0/24 } \
>>              profile all ports { 80 81 82 83 84 85 86 87 88 89 90 311 383
>> 591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702
>> 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014
>> 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800
>> 8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080
>> 50000 50002 55555 } enable_xff*
>>
>> Here you can see that I have turned on enable_xff.
>>
>> While running snort I can see that "Enable XFF and True Client IP: YES"
>>
>> *HttpInspect Config:
>>     GLOBAL CONFIG
>>       Max Pipeline Requests:    0
>>       Inspection Type:          STATELESS
>>       Detect Proxy Usage:       NO
>>       IIS Unicode Map Filename: /store/snort/etc/unicode.map
>>       IIS Unicode Map Codepage: 1252
>>       Memcap used for logging URI and Hostname: 150994944
>>       Max Gzip Memory: 838860
>>       Max Gzip Sessions: 9532
>>       Gzip Compress Depth: 65535
>>       Gzip Decompress Depth: 65535
>>     SERVER: 10.0.0.0/8 192.168.1.0/24 192.168.56.0/24
>>       Server profile: All
>>       Ports (PAF): 80 81 82 83 84 85 86 87 88 89 90 311 383 591 593 631
>> 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848
>> 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080
>> 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899
>> 9000 9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080 50000
>> 50002 55555
>>       Server Flow Depth: 300
>>       Client Flow Depth: 300
>>       Max Chunk Length: 500000
>>       Max Header Field Length: 0
>>       Max Number Header Fields: 0
>>       Max Number of WhiteSpaces allowed with header folding: 200
>>       Inspect Pipeline Requests: YES
>>       URI Discovery Strict Mode: NO
>>       Allow Proxy Usage: NO
>>       Disable Alerting: NO
>>       Oversize Dir Length: 0
>>       Only inspect URI: NO
>>       Normalize HTTP Headers: NO
>>       Inspect HTTP Cookies: NO
>>       Inspect HTTP Responses: NO
>>       Extract Gzip from responses: NO
>>       Unlimited decompression of gzip data from responses: NO
>>       Normalize Javascripts in HTTP Responses: NO
>>       Normalize HTTP Cookies: NO
>>       Enable XFF and True Client IP: YES
>>       Log HTTP URI data: NO
>>       Log HTTP Hostname data: NO
>>       Extended ASCII code support in URI: NO
>>       Ascii: YES alert: NO
>>       Double Decoding: YES alert: YES
>>       %U Encoding: YES alert: YES
>>       Bare Byte: YES alert: YES
>>       UTF 8: OFF
>>       IIS Unicode: YES alert: YES
>>       Multiple Slash: YES alert: NO
>>       IIS Backslash: YES alert: NO
>>       Directory Traversal: YES alert: NO
>>       Web Root Traversal: YES alert: YES
>>       Apache WhiteSpace: YES alert: NO
>>       IIS Delimiter: YES alert: NO
>>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>       Non-RFC Compliant Characters: NONE
>>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>>     DEFAULT SERVER CONFIG:*
>>
>> Now I try to generate an alert by going to test.com using the command
>> shown
>>
>> $ wget  -U ".Debian.APT-HTTP/1.3.(0.9.7.7ubuntu4)" test.com
>>
>> For some strange reason I cannot get snort to log ExtraData for the True
>> Client IP.
>>
>> # u2spewfoo /tmp/log/snort.alert.log.1379845107
>>
>> *(Event)
>>     sensor id: 0    event id: 1    event second: 1379845237    event
>> microsecond: 165224
>>     sig id: 2013504    gen id: 1    revision: 3     classification: 1
>>     priority: 3    ip source: 10.0.2.15    ip destination: 174.36.85.72
>>     src port: 60145    dest port: 80    protocol: 6    impact_flag: 0
>> blocked: 0
>>
>> Packet
>>     sensor id: 0    event id: 1    event second: 1379845237
>>     packet second: 1379845237    packet microsecond: 165224
>>     linktype: 1    packet_length: 272
>> [    0] 52 54 00 12 35 02 08 00 27 EE 1B A6 08 00 45 00  RT..5...'.....E.
>> [   16] 01 02 BA 59 40 00 40 06 70 21 0A 00 02 0F AE 24  ...Y at ...843...@.p!.....$
>> [   32] 55 48 EA F1 00 50 88 D7 92 2E AE CB 12 02 50 18  UH...P........P.
>> [   48] 39 08 10 70 00 00 47 45 54 20 2F 20 48 54 54 50  9..p..GET / HTTP
>> [   64] 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74  /1.1..User-Agent
>> [   80] 3A 20 2E 44 65 62 69 61 6E 2E 41 50 54 2D 48 54  : .Debian.APT-HT
>> [   96] 54 50 2F 31 2E 33 2E 28 30 2E 39 2E 37 2E 37 75  TP/1.3.(0.9.7.7u
>> [  112] 62 75 6E 74 75 34 29 0D 0A 41 63 63 65 70 74 3A  buntu4)..Accept:
>> [  128] 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 74 65 73 74   */*..Host: test
>> [  144] 2E 63 6F 6D 0D 0A 56 69 61 3A 20 31 2E 31 20 6C  .com..Via: 1.1 l
>> [  160] 6F 63 61 6C 68 6F 73 74 20 28 73 71 75 69 64 2F  ocalhost (squid/
>> [  176] 33 2E 31 2E 32 30 29 0D 0A 58 2D 46 6F 72 77 61  3.1.20)..X-Forwa
>> [  192] 72 64 65 64 2D 46 6F 72 3A 20 31 39 32 2E 31 36  rded-For: 192.16
>> [  208] 38 2E 31 2E 32 0D 0A 43 61 63 68 65 2D 43 6F 6E  8.1.2..Cache-Con
>> [  224] 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 32 35  trol: max-age=25
>> [  240] 39 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E  9200..Connection
>> [  256] 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A  : keep-alive....
>> *
>>
>>
>> --
>> Regards,
>> Balasubramaniam Natarajan
>> www.blog.etutorshop.com
>>
>>
>> ------------------------------------------------------------------------------
>> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>


-- 
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130923/68e635e4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.conf
Type: application/octet-stream
Size: 22510 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130923/68e635e4/attachment.obj>


More information about the Snort-users mailing list