[Snort-users] HTTP reassembly problem - Snort 2.9.6.1

Mateusz Pigulski m.pigulski at ...11827...
Mon Jun 23 02:56:56 EDT 2014


 Sure, everything You can find in attachments. During my test I send HTTP
POST request via curl:

 curl -i http://10.11.169.41:50007/kabira/kpsa/submitOrder -H
"Content-Type: text/xml" --data-binary "@testreq.xml"

In attachment You can find xml file which I sent via curl.


2014-06-23 0:33 GMT+02:00 Joel Esler (jesler) <jesler at ...589...>:

>  Do you have packet captures and a configuration we can use to reproduce
> the issue?
>
> --
> Joel Esler
> Sent from my iPhone
>
> On Jun 22, 2014, at 16:04, "Mateusz Pigulski" <m.pigulski at ...11827...>
> wrote:
>
>   Hello, anybody knows this issue ??
>
>
> 2014-06-17 23:14 GMT+02:00 Mateusz Pigulski <m.pigulski at ...11827...>:
>
>>
>> Hi experts!!!
>>
>> I am new user in mailing list and also new in snort, so firstly I want
>> say Hello!!.
>> I have configured Snort 2.9.6.1 with daq 2.0.2 and pf_ring 5.6.1. I want
>> use snort to capture HTTP POST which are forwarded to my system. I have
>> problem with configuration the output to store the reassembled packets.
>> When size of HTTP POST is larger then 1500, I can see in my unified2 file
>> that every tcp segemnt is stored as event and packet, so if HTTP POST
>> consist of 2 tcp segments I have 2 events and 2 packets, from my point of
>> view would be better to have only one event and packet for reassembled
>> packet. I have read this thread: http://seclists.org/snort/2012/q4/758,
>> and 2 Years ago it was impossible, so my question is: is it possible to
>> configure in snort 2.9.6.1 output with unified2 to store reassembled
>> packets ??
>>
>>  -------------
>> BR
>> Mateusz
>>
>
>
>
> --
>
> ------------
> Mateusz
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
>
>  _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>


-- 

------------
Mateusz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140623/8c2d5338/attachment.html>
-------------- next part --------------
(Event)
        sensor id: 0    event id: 110939        event second: 1403503860        event microsecond: 185630
        sig id: 1000039 gen id: 1       revision: 1      classification: 0
        priority: 0     ip source: 126.198.135.11       ip destination: 10.11.169.41
        src port: 55514 dest port: 50007        protocol: 6     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 110939        event second: 1403503860
        packet second: 1403503860       packet microsecond: 185630
        linktype: 1     packet_length: 1514
[    0] 00 00 0C 07 AC CE AC 16 2D 7A 74 B0 08 00 45 00  ........-zt...E.
[   16] 05 DC D9 14 40 00 40 06 A3 01 7E C6 87 0B 0A 0B  .... at .@...~.....
[   32] A9 29 D8 DA C3 57 E2 13 79 3B E1 87 20 DD 80 10  .)...W..y;.. ...
[   48] 00 73 5F 03 00 00 01 01 08 0A 07 6C A1 25 27 8B  .s_........l.%'.
[   64] BD 47 3C 73 65 72 76 69 63 65 4F 72 64 65 72 52  .G<serviceOrderR
[   80] 65 71 75 65 73 74 3E 20 0A 3C 70 72 6F 64 75 63  equest> .<produc
[   96] 74 4E 61 6D 65 3E 54 45 53 54 3C 2F 70 72 6F 64  tName>TEST</prod
[  112] 75 63 74 4E 61 6D 65 3E 20 0A 20 20 20 20 20 20  uctName> .
[  128] 20 20 20 20 20 20 3C 76 65 72 62 3E 56 45 52 42        <verb>VERB
[  144] 3C 2F 76 65 72 62 3E 20 0A 20 20 20 20 20 20 20  </verb> .
[  160] 20 20 20 20 20 3C 6F 72 64 65 72 49 64 3E 54 45       <orderId>TE
[  176] 53 54 5F 52 45 51 55 45 53 54 5F 35 3C 2F 6F 72  ST_REQUEST_5</or
[  192] 64 65 72 49 64 3E 20 0A 20 20 20 20 20 20 20 20  derId> .
[  208] 20 20 20 20 3C 70 61 72 61 6D 65 74 65 72 73 3E      <parameters>
[  224] 20 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20   .
[  240] 20 20 3C 70 61 72 61 6D 65 74 65 72 3E 20 0A 20    <parameter> .
[  256] 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
[  272] 20 20 20 3C 6E 61 6D 65 3E 50 41 52 41 4D 45 54     <name>PARAMET
[  288] 45 52 31 3C 2F 6E 61 6D 65 3E 3C 76 61 6C 75 65  ER1</name><value
[  304] 3E 41 41 41 41 41 41 41 41 41 41 41 3C 2F 76 61  >AAAAAAAAAAA</va
[  320] 6C 75 65 3E 20 0A 20 20 20 20 20 20 20 20 20 20  lue> .
[  336] 20 20 20 20 20 20 3C 2F 70 61 72 61 6D 65 74 65        </paramete
[  352] 72 3E 3C 70 61 72 61 6D 65 74 65 72 3E 20 0A 20  r><parameter> .
[  368] 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
[  384] 20 20 20 3C 6E 61 6D 65 3E 50 41 52 41 4D 45 54     <name>PARAMET
[  400] 45 52 32 3C 2F 6E 61 6D 65 3E 3C 76 61 6C 75 65  ER2</name><value
[  416] 3E 42 42 42 42 42 42 42 42 42 42 42 42 42 3C 2F  >BBBBBBBBBBBBB</
[  432] 76 61 6C 75 65 3E 20 0A 20 20 20 20 20 20 20 20  value> .
[  448] 20 20 20 20 20 20 20 20 3C 2F 70 61 72 61 6D 65          </parame
[  464] 74 65 72 3E 3C 70 61 72 61 6D 65 74 65 72 3E 20  ter><parameter>
[  480] 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20  .
[  496] 20 20 20 20 20 3C 6E 61 6D 65 3E 3C 2F 6E 61 6D       <name></nam
[  512] 65 3E 3C 76 61 6C 75 65 3E 53 53 53 53 53 53 53  e><value>SSSSSSS
[  528] 53 53 53 3C 2F 76 61 6C 75 65 3E 20 0A 20 20 20  SSS</value> .
[  544] 20 20 20 20 20 20 20 20 20 20 20 20 20 3C 2F 70               </p

[  560] 61 72 61 6D 65 74 65 72 3E 3C 70 61 72 61 6D 65  arameter><parame
[  576] 74 65 72 3E 20 0A 20 20 20 20 20 20 20 20 20 20  ter> .
[  592] 20 20 20 20 20 20 20 20 20 20 3C 6E 61 6D 65 3E            <name>
[  608] 50 41 52 41 4D 45 54 45 52 33 3C 2F 6E 61 6D 65  PARAMETER3</name
[  624] 3E 3C 76 61 6C 75 65 3E 57 51 51 51 51 51 51 51  ><value>WQQQQQQQ
[  640] 51 3C 2F 76 61 6C 75 65 3E 20 0A 20 20 20 20 20  Q</value> .
[  656] 20 20 20 20 20 20 20 20 20 20 20 3C 2F 70 61 72             </par
[  672] 61 6D 65 74 65 72 3E 3C 70 61 72 61 6D 65 74 65  ameter><paramete
[  688] 72 3E 20 0A 20 20 20 20 20 20 20 20 20 20 20 20  r> .
[  704] 20 20 20 20 20 20 20 20 3C 6E 61 6D 65 3E 50 41          <name>PA
[  720] 52 41 4D 45 54 45 52 34 3C 2F 6E 61 6D 65 3E 3C  RAMETER4</name><
[  736] 76 61 6C 75 65 3E 58 58 58 58 58 58 58 58 58 3C  value>XXXXXXXXX<
[  752] 2F 76 61 6C 75 65 3E 20 0A 20 20 20 20 20 20 20  /value> .
[  768] 20 20 20 20 20 20 20 20 20 3C 2F 70 61 72 61 6D           </param
[  784] 65 74 65 72 3E 3C 70 61 72 61 6D 65 74 65 72 3E  eter><parameter>
[  800] 20 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20   .
[  816] 20 20 20 20 20 20 3C 6E 61 6D 65 3E 50 41 52 41        <name>PARA
[  832] 4D 45 54 45 52 35 3C 2F 6E 61 6D 65 3E 3C 76 61  METER5</name><va
[  848] 6C 75 65 3E 42 42 42 42 42 4F 4F 4F 4F 4F 4F 3C  lue>BBBBBOOOOOO<
[  864] 2F 76 61 6C 75 65 3E 20 0A 20 20 20 20 20 20 20  /value> .
[  880] 20 20 20 20 20 20 20 20 20 3C 2F 70 61 72 61 6D           </param
[  896] 65 74 65 72 3E 3C 70 61 72 61 6D 65 74 65 72 3E  eter><parameter>
[  912] 20 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20   .
[  928] 20 20 20 20 20 20 3C 6E 61 6D 65 3E 50 41 52 41        <name>PARA
[  944] 4D 45 54 45 52 36 3C 2F 6E 61 6D 65 3E 3C 76 61  METER6</name><va
[  960] 6C 75 65 3E 50 50 50 50 50 50 50 50 50 50 50 3C  lue>PPPPPPPPPPP<
[  976] 2F 76 61 6C 75 65 3E 20 0A 20 20 20 20 20 20 20  /value> .
[  992] 20 20 20 20 20 20 20 20 20 3C 2F 70 61 72 61 6D           </param
[ 1008] 65 74 65 72 3E 3C 70 61 72 61 6D 65 74 65 72 3E  eter><parameter>
[ 1024] 20 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20   .
[ 1040] 20 20 20 20 20 20 3C 6E 61 6D 65 3E 50 41 52 41        <name>PARA
[ 1056] 4D 45 54 45 52 37 3C 2F 6E 61 6D 65 3E 3C 76 61  METER7</name><va
[ 1072] 6C 75 65 3E 4C 4C 4C 4C 4C 4C 4C 4C 4C 4C 4C 4C  lue>LLLLLLLLLLLL
[ 1088] 4C 3C 2F 76 61 6C 75 65 3E 20 0A 20 20 20 20 20  L</value> .
[ 1104] 20 20 20 20 20 20 20 20 20 20 20 3C 2F 70 61 72             </par
[ 1120] 61 6D 65 74 65 72 3E 3C 70 61 72 61 6D 65 74 65  ameter><paramete
[ 1136] 72 3E 20 0A 20 20 20 20 20 20 20 20 20 20 20 20  r> .
[ 1152] 20 20 20 20 20 20 20 20 3C 6E 61 6D 65 3E 50 41          <name>PA
[ 1168] 52 41 4D 45 54 45 52 38 3C 2F 6E 61 6D 65 3E 3C  RAMETER8</name><
[ 1184] 76 61 6C 75 65 3E 49 49 49 49 49 49 49 49 49 49  value>IIIIIIIIII
[ 1200] 49 49 3C 2F 76 61 6C 75 65 3E 20 0A 20 20 20 20  II</value> .
[ 1216] 20 20 20 20 20 20 20 20 20 20 20 20 3C 2F 70 61              </pa
[ 1232] 72 61 6D 65 74 65 72 3E 3C 70 61 72 61 6D 65 74  rameter><paramet
[ 1248] 65 72 3E 20 0A 20 20 20 20 20 20 20 20 20 20 20  er> .
[ 1264] 20 20 20 20 20 20 20 20 20 3C 6E 61 6D 65 3E 50           <name>P
[ 1280] 41 52 41 4D 45 54 45 52 39 3C 2F 6E 61 6D 65 3E  ARAMETER9</name>
[ 1296] 3C 76 61 6C 75 65 3E 4E 4E 4E 4E 4E 4E 4E 4E 4E  <value>NNNNNNNNN
[ 1312] 4E 4E 4E 4E 4E 3C 2F 76 61 6C 75 65 3E 20 0A 20  NNNNN</value> .
[ 1328] 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3C                 <
[ 1344] 2F 70 61 72 61 6D 65 74 65 72 3E 3C 70 61 72 61  /parameter><para
[ 1360] 6D 65 74 65 72 3E 20 0A 20 20 20 20 20 20 20 20  meter> .
[ 1376] 20 20 20 20 20 20 20 20 20 20 20 20 3C 6E 61 6D              <nam
[ 1392] 65 3E 50 41 52 41 4D 45 54 45 52 31 30 3C 2F 6E  e>PARAMETER10</n
[ 1408] 61 6D 65 3E 3C 76 61 6C 75 65 3E 55 55 55 55 55  ame><value>UUUUU
[ 1424] 55 55 55 55 3C 2F 76 61 6C 75 65 3E 20 0A 20 20  UUUU</value> .
[ 1440] 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3C 2F                </
[ 1456] 70 61 72 61 6D 65 74 65 72 3E 3C 70 61 72 61 6D  parameter><param
[ 1472] 65 74 65 72 3E 20 0A 20 20 20 20 20 20 20 20 20  eter> .
[ 1488] 20 20 20 20 20 20 20 20 20 20 20 3C 6E 61 6D 65             <name
[ 1504] 3E 50 41 52 41 4D 45 54 45 52                    >PARAMETER

(Event)
        sensor id: 0    event id: 110940        event second: 1403503860        event microsecond: 185648
        sig id: 1000039 gen id: 1       revision: 1      classification: 0
        priority: 0     ip source: 126.198.135.11       ip destination: 10.11.169.41
        src port: 55514 dest port: 50007        protocol: 6     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 110940        event second: 1403503860
        packet second: 1403503860       packet microsecond: 185648
        linktype: 1     packet_length: 406
[    0] 00 00 0C 07 AC CE AC 16 2D 7A 74 B0 08 00 45 00  ........-zt...E.
[   16] 01 88 D9 15 40 00 40 06 A7 54 7E C6 87 0B 0A 0B  .... at .@..T~.....
[   32] A9 29 D8 DA C3 57 E2 13 7E E3 E1 87 20 DD 80 18  .)...W..~... ...
[   48] 00 73 B8 1D 00 00 01 01 08 0A 07 6C A1 25 27 8B  .s.........l.%'.
[   64] BD 47 31 31 3C 2F 6E 61 6D 65 3E 3C 76 61 6C 75  .G11</name><valu
[   80] 65 3E 58 58 58 58 58 58 58 58 58 3C 2F 76 61 6C  e>XXXXXXXXX</val
[   96] 75 65 3E 20 0A 20 20 20 20 20 20 20 20 20 20 20  ue> .
[  112] 20 20 20 20 20 3C 2F 70 61 72 61 6D 65 74 65 72       </parameter
[  128] 3E 3C 70 61 72 61 6D 65 74 65 72 3E 20 0A 20 20  ><parameter> .
[  144] 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
[  160] 20 20 3C 6E 61 6D 65 3E 50 41 52 41 4D 45 54 45    <name>PARAMETE
[  176] 52 31 32 3C 2F 6E 61 6D 65 3E 3C 76 61 6C 75 65  R12</name><value
[  192] 3E 4F 4F 4F 4F 4F 4F 4F 4F 4F 3C 2F 76 61 6C 75  >OOOOOOOOO</valu
[  208] 65 3E 20 0A 20 20 20 20 20 20 20 20 20 20 20 20  e> .
[  224] 20 20 20 20 3C 2F 70 61 72 61 6D 65 74 65 72 3E      </parameter>
[  240] 3C 70 61 72 61 6D 65 74 65 72 3E 20 0A 20 20 20  <parameter> .
[  256] 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
[  272] 20 3C 6E 61 6D 65 3E 50 41 52 41 4D 45 54 45 52   <name>PARAMETER
[  288] 31 33 3C 2F 6E 61 6D 65 3E 3C 76 61 6C 75 65 3E  13</name><value>
[  304] 4B 4B 4B 4B 4B 4B 4B 4B 4B 3C 2F 76 61 6C 75 65  KKKKKKKKK</value
[  320] 3E 20 0A 20 20 20 20 20 20 20 20 20 20 20 20 20  > .
[  336] 20 20 20 3C 2F 70 61 72 61 6D 65 74 65 72 3E 20     </parameter>
[  352] 0A 20 20 20 20 20 20 20 20 20 20 20 20 3C 2F 70  .            </p
[  368] 61 72 61 6D 65 74 65 72 73 3E 20 0A 3C 2F 73 65  arameters> .</se
[  384] 72 76 69 63 65 4F 72 64 65 72 52 65 71 75 65 73  rviceOrderReques
[  400] 74 3E 09 09 09 0A                                t>....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: testreq.xml
Type: text/xml
Size: 1786 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140623/8c2d5338/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_20140623.pcap
Type: application/octet-stream
Size: 5452 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140623/8c2d5338/attachment.obj>
-------------- next part --------------
alert tcp 126.198.135.11 any -> 10.11.169.41 50007 (content:"serviceOrderRequest"; msg:"TEST_REQ";sid:1000039;rev:1;)
-------------- next part --------------
# Useful variables
var SNORT_HOME /home/monit/snort/etc/
var RULE_DIR rules
var LOG_PATH /home/monit/snort/log
#config logdir: /store/snort/data

##
include $RULE_DIR/VARS

#### Configure DAQ
config daq: pfring
config daq_dir: /usr/local/lib/daq
config daq_var: clusterid=44

###################################################
# Step #2: Configure the decoder.  For more information, see README.decode
###################################################
# Stop generic decode events:
config disable_decode_alerts
# Stop Alerts on experimental TCP options
config disable_tcpopt_experimental_alerts
# Stop Alerts on obsolete TCP options
config disable_tcpopt_obsolete_alerts
# Stop Alerts on T/TCP alerts
config disable_tcpopt_ttcp_alerts
# Stop Alerts on all other TCPOption type events:
config disable_tcpopt_alerts
# Stop Alerts on invalid ip options
config disable_ipopt_alerts
config checksum_mode: none
#Set snaplength - I change it to 3000 because of big xml
config snaplen: 3000
# Configure ports to ignore
config ignore_ports: tcp 21 22 23 443

# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
#
# config bpf_file:
#

# Configure default log directory for snort to log to.  For more information see snort -h command line options (-l)
#
# config logdir:


###################################################
# Step #3: Configure the base detection engine.  For more information, see  README.decode
###################################################

# Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500

# Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
config detection: search-method ac-split search-optimize max-pattern-len 20

# Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 8 log 3 order_events content_length

###################################################
# Configure Perf Profiling for debugging
# For more information see README.PerfProfiling
###################################################
config profile_rules: print all, sort avg_ticks
config profile_preprocs: print all, sort avg_ticks

###################################################
# Configure protocol aware flushing
# For more information see README.stream5
###################################################
#config paf_max: 16000
config paf_max: 600
# performance statistics.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
preprocessor perfmonitor: time 300 file $LOG_PATH/snort.stats pktcnt 10000 max_file_size 409600 flow
preprocessor http_inspect: global memcap 5000 iis_unicode_map /usr/local/snort-2.9.6.0/etc/unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 50010, } inspect_uri_only log_uri
preprocessor stream5_global: track_tcp yes, track_udp no, show_rebuilt_packets
preprocessor stream5_tcp: policy linux, ports both all
#preprocessor frag3_global
#preprocessor frag3_engine: policy linux min_ttl 255
# SSL anomaly detection and traffic bypass.  For more information, see README.ssl
#preprocessor ssl: ports { 443 }, trustservers, noinspect_encrypted

output unified2: filename snort.u2, limit 1
output unified2: filename snort4nest.u2, limit 1

## RULES

include $RULE_DIR/VARS
include $RULE_DIR/DM_SMSC.RULES


More information about the Snort-users mailing list