[Snort-users] [Snort-devel] HTTP INSPECT fails on Mirror Port

Russ Combs (rucombs) rucombs at ...589...
Thu Jul 24 12:57:46 EDT 2014


Did you capture the pcap on the box where you are running Snort?  How do Snort's shutdown stats compare between pcap readback and network tap modes?

________________________________________
From: Anand Raj Manickam [anandrm at ...11827...]
Sent: Thursday, July 24, 2014 11:57 AM
To: James Lay; snort-devel at lists.sourceforge.net
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port

Hi,
Can someone on dev list help me ?

I have the snort configured on Mirror Port of a Switch . Snort fails
to detect HTTP but , It does detect the TCP and Stream5.
The Stream5 Stats only show that it Tracks . I have the http_inspect
and http_inspect_server preprocessors are configured.
But when configured on read from pcap file , with the same config the
HTTP is detected .
Can someone shed some light on whats missing in my configuration on
live Mirror port mode?

# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv

The config file : http://pastebin.com/qUpTfRLY
The Snort Stats : http://pastebin.com/ADWvJAZQ

With a pcap file , the HTTP Inspect is fine :
 snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap

Thanks,

On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay at ...13475...> wrote:
> On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:
>> Did try with
>> For Snort :
>> ./configure --with-dnet-includes=/opt/include/
>> --with-dnet-libraries=/opt/lib --enable-sourcefire
>> --enable-non-ether-decoders
>> The behaviour is the same
>>
>> For DAQ : # ./configure --with-dnet-includes=/opt/include/
>> --with-dnet-libraries=/opt/lib
>> Build AFPacket DAQ module.. : no
>> Build Dump DAQ module...... : yes
>> Build IPFW DAQ module...... : yes
>> Build IPQ DAQ module....... : no
>> Build NFQ DAQ module....... : yes
>> Build PCAP DAQ module...... : yes
>>
>> Not sure why AFPacket fails. But since the testbed is TAP mode , i did not care.
>>
>>
>> On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay at ...13475...> wrote:
>> > On 2014-07-21 10:41, Anand Raj Manickam wrote:
>> >> My understanding was you do not need afpacket for mirror port, since
>> >> the setting was pcap - passive. Please correct me if i m wrong.
>> >> snort was configured with ./configure --with-dnet-includes=/xyz
>> >> --with-dnet-libraries=/xyz
>> >> DAQ without any parameters
>> >>
>> >> On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay at ...13475...>
>> >> wrote:
>> >>> On 2014-07-21 09:52, Anand Raj Manickam wrote:
>> >>>> Hi James,
>> >>>> I have attached the pcap.
>> >>>> Thanks,
>> >>>> Anand
>> >
>> > Technically I believe you are right, but at this stage, I'm playing
>> > "spot the differences".  My snort config line:
>> >
>> > ./configure --prefix=/opt --enable-sourcefire
>> > --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders
>> >
>> > and my daq config and and snippet of that output:
>> >
>> > ./configure --prefix=/usr
>> >
>> > Build AFPacket DAQ module.. : yes
>> > Build Dump DAQ module...... : yes
>> > Build IPFW DAQ module...... : yes
>> > Build IPQ DAQ module....... : no
>> > Build NFQ DAQ module....... : no
>> > Build PCAP DAQ module...... : yes
>> >
>> > How does your differ?
>> >
>> > James
>
> At this point I'm out of ideas...perhaps one of the devs can assist.
>
> James
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-users mailing list