[Snort-users] HTTP INSPECT fails on Mirror Port

Russ Combs (rucombs) rucombs at ...589...
Mon Aug 4 07:54:03 EDT 2014


________________________________________
From: Anand Raj Manickam [anandrm at ...11827...]
Sent: Monday, August 04, 2014 4:01 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...4137...orge.net
Subject: Re: HTTP INSPECT fails on Mirror Port

On Thu, Jul 31, 2014 at 5:28 PM, Russ Combs (rucombs) <rucombs at ...589...> wrote:
>
> ________________________________________
> From: Anand Raj Manickam [anandrm at ...11827...]
> Sent: Thursday, July 31, 2014 7:21 AM
> To: Russ Combs (rucombs)
> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...635...eforge.net
> Subject: Re: HTTP INSPECT fails on Mirror Port
>
> I do not see any duplicate packets on the mirror port .
> I have the screen shot of snort :
>
> http://pastebin.com/dcYa4v2G
>
> Live packet capture parallely
>
> * It looks like you fixed something because the duplicates in the pcap you sent are not shown below or in the shutdown counts.  However, those counts still show about half of the packets not processed by stream.  Of the 11 packets, only 6 are decoded as TCP and 5 are discarded by the decoder.  Most likely all traffic from your server is not decoded properly.
>
There is nothing fixed in the pcap , looks like sometimes there is a
random behavior in the switch , where i do see some dup packets. I m
sure why those packets are decoded.

> * Please send an updated pcap.  Also, configure Snort to run in log mode and write a pcap (run Snort with -L but w/o -c).  You should see the same protocol breakdown counts, 11 total and 6 TCP.  Send that pcap too for comparison.

This is the dump with the snort  -L -i eth0 (w/o -c)
http://pastebin.com/RpQEMA8g

I have attached the pcap - snort-L.pcap and the log file.

* I don't see anything obvious in the pcap.  Try adding the following line to your conf and see if any alerts are generated:

config autogenerate_preprocessor_decoder_rules



>
>  # tcpdump -i eth0 -nn -e
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 04:15:24.568286 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
> (0x0800), length 74: 10.11.117.90.52465 > 192.168.1.110.80: Flags [S],
> seq 1075122842, win 4380, options [mss 1460,sackOK,TS val 2417285661
> ecr 0,nop,wscale 7], length 0
> 04:15:24.568369 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
> (0x0800), length 74: 192.168.1.110.80 > 10.11.17.90.52465: Flags [S.],
> seq 1484212294, ack 1075122843, win 14480, options [mss 1460,sackOK,TS
> val 306401729 ecr 2417285661,nop,wscale 5], length 0
> 04:15:24.568564 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
> (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
> ack 1, win 35, options [nop,nop,TS val 2417285661 ecr 306401729],
> length 0
> 04:15:24.568699 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
> (0x0800), length 167: 10.11.17.90.52465 > 192.168.1.110.80: Flags
> [P.], seq 1:102, ack 1, win 35, options [nop,nop,TS val 2417285661 ecr
> 306401729], length 101
> 04:15:24.568703 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
> (0x0800), length 66: 192.168.1.110.80 > 10.11.17.90.52465: Flags [.],
> ack 102, win 453, options [nop,nop,TS val 306401729 ecr 2417285661],
> length 0
> 04:15:24.569410 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
> (0x0800), length 556: 192.168.1.110.80 > 10.11.17.90.52465: Flags
> [P.], seq 1:491, ack 102, win 453, options [nop,nop,TS val 306401729
> ecr 2417285661], length 490
> 04:15:24.569722 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
> (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
> ack 491, win 43, options [nop,nop,TS val 2417285661 ecr 306401729],
> length 0
> 04:15:24.570059 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
> (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [F.],
> seq 102, ack 491, win 43, options [nop,nop,TS val 2417285662 ecr
> 306401729], length 0
> 04:15:24.570137 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
> (0x0800), length 66: 192.168.1.110.80 > 10.11.17.90.52465: Flags [F.],
> seq 491, ack 103, win 453, options [nop,nop,TS val 306401729 ecr
> 2417285662], length 0
> 04:15:24.570285 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
> (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
> ack 492, win 43, options [nop,nop,TS val 2417285662 ecr 306401729],
> length 0
>
>
>
> On Mon, Jul 28, 2014 at 9:27 PM, Russ Combs (rucombs) <rucombs at ...589...> wrote:
>>
>> ________________________________
>> From: Anand Raj Manickam [anandrm at ...11827...]
>> Sent: Friday, July 25, 2014 8:53 PM
>>
>> To: Russ Combs (rucombs)
>> Cc: James Lay; snort-devel at lists.sourceforge.net;
>> snort-users at lists.sourceforge.net
>> Subject: HTTP INSPECT fails on Mirror Port
>>
>> Yes..the pap was captured in the same box running snort.
>> The capture was on the port configured on mirror.
>>
>> * Looks like your mirror is sending two copies of all TCP packets to your
>> sensor.  Not sure why you see different results but you might have better
>> luck if you eliminate the duplicates.
>>
>>
>> On Friday, July 25, 2014, Russ Combs (rucombs) <rucombs at ...589...> wrote:
>>>
>>>
>>> ________________________________________
>>> From: Anand Raj Manickam [anandrm at ...11827...]
>>> Sent: Friday, July 25, 2014 1:42 AM
>>> To: Russ Combs (rucombs)
>>> Cc: James Lay; snort-devel at lists.sourceforge.net;
>>> snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port
>>>
>>> This is the shutdown dump on Network Tap mode
>>> http://pastebin.com/ADWvJAZQ
>>> The Shutdown dump on pcap readback mode http://pastebin.com/afVJbawK
>>> The difference i see is in Stream5 Statistics and the invocation of
>>> HTTP Inspect on pcap readback mode.
>>>
>>> * There is a bigger difference.  Check your protocol breakdown counts.
>>> Half the packets from the network are discarded.
>>>
>>> * This is why I asked if your pcap was captured from the box you are
>>> running Snort.  If you can capture a pcap there you can reproduce the
>>> problem in read back and compare pcaps.
>>>
>>> On Thu, Jul 24, 2014 at 10:27 PM, Russ Combs (rucombs)
>>> <rucombs at ...589...> wrote:
>>> > Did you capture the pcap on the box where you are running Snort?  How do
>>> > Snort's shutdown stats compare between pcap readback and network tap modes?
>>> >
>>> > ________________________________________
>>> > From: Anand Raj Manickam [anandrm at ...11827...]
>>> > Sent: Thursday, July 24, 2014 11:57 AM
>>> > To: James Lay; snort-devel at lists.sourceforge.net
>>> > Cc: snort-users at lists.sourceforge.net
>>> > Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror
>>> > Port
>>> >
>>> > Hi,
>>> > Can someone on dev list help me ?
>>> >
>>> > I have the snort configured on Mirror Port of a Switch . Snort fails
>>> > to detect HTTP but , It does detect the TCP and Stream5.
>>> > The Stream5 Stats only show that it Tracks . I have the http_inspect
>>> > and http_inspect_server preprocessors are configured.
>>> > But when configured on read from pcap file , with the same config the
>>> > HTTP is detected .
>>> > Can someone shed some light on whats missing in my configuration on
>>> > live Mirror port mode?
>>> >
>>> > # snort --daq-list
>>> > Available DAQ modules:
>>> > pcap(v3): readback live multi unpriv
>>> > nfq(v7): live inline multi
>>> > ipfw(v3): live inline multi unpriv
>>> > dump(v2): readback live inline multi unpriv
>>> >
>>> > The config file : http://pastebin.com/qUpTfRLY
>>> > The Snort Stats : http://pastebin.com/ADWvJAZQ
>>> >
>>> > With a pcap file , the HTTP Inspect is fine :
>>> >  snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap
>>> >
>>> > Thanks,
>>> >
>>> > On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay at ...13475...>
>>> > wrote:
>>> >> On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:
>>> >>> Did try with
>>> >>> For Snort :
>>> >>> ./configure --with-dnet-includes=/opt/include/
>>> >>> --with-dnet-libraries=/opt/lib --enable-sourcefire
>>> >>> --enable-non-ether-decoders
>>> >>> The behaviour is the same
>>> >>>
>>> >>> For DAQ : # ./configure --with-dnet-includes=/opt/include/
>>> >>> --with-dnet-libraries=/opt/lib
>>> >>> Build AFPacket DAQ module.. : no
>>> >>> Build Dump DAQ module...... : yes
>>> >>> Build IPFW DAQ module...... : yes
>>> >>> Build IPQ DAQ module....... : no
>>> >>> Build NFQ DAQ module....... : yes
>>> >>> Build PCAP DAQ module...... : yes
>>> >>>
>>> >>> Not sure why AFPacket fails. But since the testbed is TAP mode , i did
>>> >>> not care.
>>> >>>
>>> >>>
>>> >>> On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay at ...13475...>
>>> >>> wrote:
>>> >>> > On 2014-07-21 10:41, Anand Raj Manickam wrote:
>>> >>> >> My understanding was you do not need afpacket for mirror port,
>>> >>> >> since
>>> >>> >> the setting was pcap - passive. Please correct me if i m wrong.
>>> >>> >> snort was configured with ./configure --with-dnet-includes=/xyz
>>> >>> >> --with-dnet-libraries=/xyz
>>> >>> >> DAQ without any parameters
>>> >>> >>
>>> >>> >> On Mon, Jul 21, 2014 at 9:39 PM, James Lay
>>> >>> >> <jlay at ...13475...>
>>> >>> >> wrote:
>>> >>> >>> On 2014-07-21 09:52, Anand Raj Manickam wrote:
>>> >>> >>>> Hi James,
>>> >>> >>>> I have attached the pcap.
>>> >>> >>>> Thanks,
>>> >>> >>>> Anand
>>> >>> >
>>> >>> > Technically I believe you are right, but at this stage, I'm playing
>>> >>> > "spot the differences".  My snort config line:
>>> >>> >
>>> >>> > ./configure --prefix=/opt --enable-sourcefire
>>> >>> > --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders
>>> >>> >
>>> >>> > and my daq config and and snippet of that output:
>>> >>> >
>>> >>> > ./configure --prefix=/usr
>>> >>> >
>>> >>> > Build AFPacket DAQ module.. : yes
>>> >>> > Build Dump DAQ module...... : yes
>>> >>> > Build IPFW DAQ module...... : yes
>>> >>> > Build IPQ DAQ module....... : no
>>> >>> > Build NFQ DAQ module....... : no
>>> >>> > Build PCAP DAQ module...... : yes
>>> >>> >
>>> >>> > How does your differ?
>>> >>> >
>>> >>> > James
>>> >>
>>> >> At this point I'm out of ideas...perhaps one of the devs can assist.
>>> >>
>>> >> James
>>> >>
>>> >>
>>> >>
>>> >> ------------------------------------------------------------------------------
>>> >> Want fast and easy access to all the code in your enterprise? Index and
>>> >> search up to 200,000 lines of code with a free copy of Black Duck
>>> >> Code Sight - the same software that powers the world's largest code
>>> >> search on Ohloh, the Black Duck Open Hub! Try it now.
>>> >> http://p.sf.net/sfu/bds
>>> >> _______________________________________________
>>> >> Snort-users mailing list
>>> >> Snort-users at lists.sourceforge.net
>>> >> Go to this URL to change user options or unsubscribe:
>>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> >> Snort-users list archive:
>>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> >>
>>> >> Please visit http://blog.snort.org to stay current on all the latest
>>> >> Snort news!
>>> >
>>> >
>>> > ------------------------------------------------------------------------------
>>> > Want fast and easy access to all the code in your enterprise? Index and
>>> > search up to 200,000 lines of code with a free copy of Black Duck
>>> > Code Sight - the same software that powers the world's largest code
>>> > search on Ohloh, the Black Duck Open Hub! Try it now.
>>> > http://p.sf.net/sfu/bds
>>> > _______________________________________________
>>> > Snort-devel mailing list
>>> > Snort-devel at lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> > Archive:
>>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>> >
>>> > Please visit http://blog.snort.org for the latest news about Snort!
>>> >




More information about the Snort-users mailing list