[Snort-users] HTTP INSPECT fails on Mirror Port

Russ Combs (rucombs) rucombs at ...589...
Wed Aug 6 11:58:27 EDT 2014


________________________________________
From: Anand Raj Manickam [anandrm at ...11827...]
Sent: Wednesday, August 06, 2014 5:47 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...4137...orge.net
Subject: Re: HTTP INSPECT fails on Mirror Port

On Wed, Aug 6, 2014 at 12:48 AM, Russ Combs (rucombs) <rucombs at ...589...> wrote:
>
> ________________________________________
> From: Anand Raj Manickam [anandrm at ...11827...]
> Sent: Tuesday, August 05, 2014 4:05 AM
> To: Russ Combs (rucombs)
> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...635...eforge.net
> Subject: Re: HTTP INSPECT fails on Mirror Port
>
>> * You have something weird going on.  Now 6 are are eth:ip4:tcp and 4 are eth:other.  Previously they were eth:ip4:other.
>>
>> * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can catch it and see what's up.  You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.
>
> I have the gdb breaks set , i see that in Live packet capture mode ,
> there appears to be a internal fragmentation of the packet though the
> MTU is 1500, the max size of packet in this capture is only 556.
> If you look at the pkt structs data , i see Characters  . But when i
> played with pcap , i never saw character data. ( this is the reason
> why pcap works )
>
> * The problem does not appear to be with the length.  Your 556 byte server response is the actual, full size:
>
> eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556
>
> * You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer protocol is.  That is why decode is failing in these functions.
>
> * For example, in the eth function you can execute this command:
>
> p /x p->eh->ether_type
>
> * And in the ip4 function you can execute this command:
>
> p /x proto

Sorry .. i forgot to mention , that i did see random values on
ether_type (0x40,0x203a etc) , where as when i ran with the pcap , the
ptype was always 0x8 .
Not sure why the packets are split ..

* OK, we are getting closer.  Please break on the pc.other++ lines only.  Those are where the packets stop getting decoded because of an unrecognized type.

* The values you are printing are in network byte order, so the eth 0x80 is actually 0x0800 which indicates IP.  The IP 0x6 is TCP.  The only other value your pcap has is eth 0x0806 which indicates ARP.  The rest of the values below are most likely indicative of the problem you have.

* Why do you say "the packets are split"?  Do the lengths not correspond to the packets in your pcap?

Below is the DUMP of gdb on tap mode :

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$28 = 0x40
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$29 = 0x40
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$30 = 0x8
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7494064 "\255L", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb)  p /x p->iph->ip_proto
$31 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$32 = 0x203a
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$33 = 0x8
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb)  p /x p->iph->ip_proto
$34 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$35 = 0x7475
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496064 "\255L", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) p /x p->eh->ether_type
$36 = 0x8
(gdb)  p /x p->iph->ip_proto
$37 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
650 {
(gdb) c
Continuing.




>
> I have the GDB dump below , with bt .
>
> I have turned off all offload settings
>
> # ethtool -k eth0
> Offload parameters for eth0:
> rx-checksumming: off
> tx-checksumming: off
> scatter-gather: off
> tcp segmentation offload: off
> udp fragmentation offload: off
> generic segmentation offload: off
>
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52,
> p=0x56c63300 <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
> 650 {
> (gdb) bt
> #0  DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620,
> pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
> #1  0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0)
>     at snort.c:1821
> #2  0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620,
> pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704
> #3  0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW",
> pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n")
>     at daq_pcap.c:361
> #4  0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8,
> max_packets=0, callback=0x5666f400 <pcap_process_loop>,
> user=0x57628770 "(\211bW") at ./pcap-linux.c:4071
> #5  0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0,
> callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at
> ./pcap.c:497
> #6  0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0,
> callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at
> daq_pcap.c:379
> #7  0x5666eb1b in daq_acquire_with_meta (module=0x566bba60
> <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830
> <PacketCallback>, metaback=0x0, user=0x0)
>     at daq_mod_ops.c:133
> #8  0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830
> <PacketCallback>, user=0x0) at sfdaq.c:540
> #9  0x565933bf in PacketLoop () at snort.c:3210
> #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907
> #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
> <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
> added, yet.</p>\n</body></html>\n") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52,
> p=0x56c63300 <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52,
> p=0x56c63300 <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300
> <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52,
> p=0x56c63300 <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
> c
>
>
>
>




More information about the Snort-users mailing list