[Snort-users] HTTP INSPECT fails on Mirror Port

James Lay jlay at ...13475...
Mon Jul 21 12:09:51 EDT 2014


On 2014-07-21 09:52, Anand Raj Manickam wrote:
> Hi James,
> I have attached the pcap.
> Thanks,
> Anand
>
> On Mon, Jul 21, 2014 at 9:02 PM, James Lay <jlay at ...13475...> 
> wrote:
>> On 2014-07-21 09:14, Anand Raj Manickam wrote:
>>> It works fine with a pcap , the issue i m facing is when configured
>>> with a SPAN/Mirror port of switch where the traffic is mirrored 
>>> from
>>> the Host. It hits till the TCP (only tracked at Stream 5) but does
>>> not
>>> hit the HTTP Inspect.
>>>
>>> On Mon, Jul 21, 2014 at 7:55 PM, James Lay 
>>> <jlay at ...13475...>
>>> wrote:
>>>> On 2014-07-21 05:51, Anand Raj Manickam wrote:
>>>>> Any Suggestions ?
>>>>>
>>>>> On Fri, Jul 18, 2014 at 5:28 PM, Anand Raj Manickam
>>>>> <anandrm at ...11827...> wrote:
>>>>>> I do not see a change , its the same.
>>>>>> Screen shot : http://pastebin.com/XpcHjRqB
>>>>>>
>>>>>>
>>>>>> On Fri, Jul 18, 2014 at 5:21 PM, Joel Esler (jesler)
>>>>>> <jesler at ...589...> wrote:
>>>>>>> Can you add -k none to the command line and see what happens?
>>>>>>>
>>>>>>> --
>>>>>>> Joel Esler
>>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>>> On Jul 18, 2014, at 7:49, "Anand Raj Manickam"
>>>>>>>> <anandrm at ...11827...>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>> I have the snort configured on Mirror Port of a Switch . Snort
>>>>>>>> fails
>>>>>>>> to detect HTTP but , It does detect the TCP and Stream5.
>>>>>>>> The Stream5 Stats only show that it Tracks . I have the
>>>>>>>> http_inspect
>>>>>>>> and http_inspect_server preprocessors are configured.
>>>>>>>> But when configured on read from pcap file , with the same
>>>>>>>> config
>>>>>>>> the
>>>>>>>> HTTP is detected .
>>>>>>>> Can someone shed some light on whats missing in my 
>>>>>>>> configuration
>>>>>>>> on
>>>>>>>> live Mirror port mode?
>>>>>>>>
>>>>>>>> # snort --daq-list
>>>>>>>> Available DAQ modules:
>>>>>>>> pcap(v3): readback live multi unpriv
>>>>>>>> nfq(v7): live inline multi
>>>>>>>> ipfw(v3): live inline multi unpriv
>>>>>>>> dump(v2): readback live inline multi unpriv
>>>>>>>>
>>>>>>>> The config file : http://pastebin.com/qUpTfRLY
>>>>>>>> The Snort Stats : http://pastebin.com/ADWvJAZQ
>>>>>>>>
>>>>>>>> With a pcap file , the HTTP Inspect is fine :
>>>>>>>> snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap
>>>>>>>>
>>>>>>>> Thanks,
>>>>
>>>> Can you provide a sanitized pcap?
>>>>
>>>> James
>>
>> I understand...please provide a capture of the traffic captured at 
>> the
>> span/mirrored port.
>>
>> James

It looks like your snort is missing afpacket..mine shown below:

Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv


How did you ./configure snort and daq?



Here's a run using your pcap and your snort.conf

Commencing packet processing (pid=5599)
===============================================================================
Run time for packet processing was 0.984 seconds
Snort processed 24 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
    Pkts/sec:           24
Preprocessor Profile Statistics (all)
==========================================================
  Num            Preprocessor Layer     Checks      Exits           
Microsecs  Avg/Check Pct of Caller Pct of Total
  ===            ============ =====     ======      =====           
=========  ========= ============= ============
   1              httpinspect     0          4          4                
122      30.69         32.73        32.73
   2                       s5     0         20         20                
255      12.79         68.22        68.22
    1                   s5tcp     1         20         20                
241      12.10         94.56        64.51
     1             s5TcpState     2         19         19                
218      11.51         90.35        58.28
      1            s5TcpFlush     3          2          2                
  13       6.99          6.40         3.73
       1  s5TcpProcessRebuilt     4          2          2                
111      55.58        794.95        29.64
       2     s5TcpBuildPacket     4          2          2                
   0       0.43          6.18         0.23
      2             s5TcpData     3          4          4                
  26       6.73         12.32         7.18
       1       s5TcpPktInsert     4          4          4                
  20       5.13         76.14         5.47
      3              s5TcpPAF     3         17         17                
  21       1.25          9.68         5.64
     2           s5TcpNewSess     2          1          1                
   7       7.25          3.00         1.93
    3                    mpse     1          1          1                
   1       1.61           inf         0.43
   4                   decode     0         24         24                
  35       1.50          9.57         9.57
   5                   eventq     0         50         50                
   4       0.10          1.31         1.31
  total                 total     0         24         24                
375      15.63          0.00         0.00
Rule Profile Statistics (all rules)
==========================================================
No rules were profiled
===============================================================================
Memory usage summary:
   Total non-mmapped bytes (arena):       2932736
   Bytes in mapped regions (hblkhd):      6868992
   Total allocated space (uordblks):      1191904
   Total free space (fordblks):           1740832
   Topmost releasable block (keepcost):   5000
===============================================================================
Packet I/O Totals:
    Received:           24
    Analyzed:           24 (100.000%)
     Dropped:            0 (  0.000%)
    Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
    Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
         Eth:           24 (100.000%)
        VLAN:            0 (  0.000%)
         IP4:           20 ( 83.333%)
        Frag:            0 (  0.000%)
        ICMP:            0 (  0.000%)
         UDP:            0 (  0.000%)
         TCP:           20 ( 83.333%)
         IP6:            0 (  0.000%)
     IP6 Ext:            0 (  0.000%)
    IP6 Opts:            0 (  0.000%)
       Frag6:            0 (  0.000%)
       ICMP6:            0 (  0.000%)
        UDP6:            0 (  0.000%)
        TCP6:            0 (  0.000%)
      Teredo:            0 (  0.000%)
     ICMP-IP:            0 (  0.000%)
       EAPOL:            0 (  0.000%)
     IP4/IP4:            0 (  0.000%)
     IP4/IP6:            0 (  0.000%)
     IP6/IP4:            0 (  0.000%)
     IP6/IP6:            0 (  0.000%)
         GRE:            0 (  0.000%)
     GRE Eth:            0 (  0.000%)
    GRE VLAN:            0 (  0.000%)
     GRE IP4:            0 (  0.000%)
     GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
    GRE PPTP:            0 (  0.000%)
     GRE ARP:            0 (  0.000%)
     GRE IPX:            0 (  0.000%)
    GRE Loop:            0 (  0.000%)
        MPLS:            0 (  0.000%)
         ARP:            4 ( 16.667%)
         IPX:            0 (  0.000%)
    Eth Loop:            0 (  0.000%)
    Eth Disc:            0 (  0.000%)
    IP4 Disc:            0 (  0.000%)
    IP6 Disc:            0 (  0.000%)
    TCP Disc:            0 (  0.000%)
    UDP Disc:            0 (  0.000%)
   ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
       Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
     Bad TTL:            0 (  0.000%)
      S5 G 1:            0 (  0.000%)
      S5 G 2:            0 (  0.000%)
       Total:           24
===============================================================================
Action Stats:
      Alerts:            0 (  0.000%)
      Logged:            0 (  0.000%)
      Passed:            0 (  0.000%)
Limits:
       Match:            0
       Queue:            0
         Log:            0
       Event:            0
       Alert:            0
Verdicts:
       Allow:           24 (100.000%)
       Block:            0 (  0.000%)
     Replace:            0 (  0.000%)
   Whitelist:            0 (  0.000%)
   Blacklist:            0 (  0.000%)
      Ignore:            0 (  0.000%)
===============================================================================
Frag3 statistics:
         Total Fragments: 0
       Frags Reassembled: 0
                Discards: 0
           Memory Faults: 0
                Timeouts: 0
                Overlaps: 0
               Anomalies: 0
                  Alerts: 0
                   Drops: 0
      FragTrackers Added: 0
     FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
     Frag Nodes Inserted: 0
      Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
             Total sessions: 1
               TCP sessions: 1
               UDP sessions: 0
              ICMP sessions: 0
                IP sessions: 0
                 TCP Prunes: 0
                 UDP Prunes: 0
                ICMP Prunes: 0
                  IP Prunes: 0
TCP StreamTrackers Created: 1
TCP StreamTrackers Deleted: 1
               TCP Timeouts: 0
               TCP Overlaps: 0
        TCP Segments Queued: 2
      TCP Segments Released: 2
        TCP Rebuilt Packets: 2
          TCP Segments Used: 2
               TCP Discards: 0
                   TCP Gaps: 0
       UDP Sessions Created: 0
       UDP Sessions Deleted: 0
               UDP Timeouts: 0
               UDP Discards: 0
                     Events: 0
            Internal Events: 0
            TCP Port Filter
                   Filtered: 0
                  Inspected: 0
                    Tracked: 20
            UDP Port Filter
                   Filtered: 0
                  Inspected: 0
                    Tracked: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
     POST methods:                         0
     GET methods:                          1
     HTTP Request Headers extracted:       1
     HTTP Request Cookies extracted:       0
     Post parameters extracted:            0
     HTTP response Headers extracted:      1
     HTTP Response Cookies extracted:      0
     Unicode:                              0
     Double unicode:                       0
     Non-ASCII representable:              0
     Directory traversals:                 0
     Extra slashes ("//"):                 0
     Self-referencing paths ("./"):        0
     HTTP Response Gzip packets extracted: 0
     Gzip Compressed Data Processed:       n/a
     Gzip Decompressed Data Processed:     n/a
     Total packets processed:              4
===============================================================================





More information about the Snort-users mailing list