[Snort-users] no http traffic detected at all

Edwin Smulders edwin.smulders at ...16852...
Fri May 16 06:04:18 EDT 2014


I have a problem I would like some help with, the http inspect preprocessor is not correctly identifying http methods. In my test setup I have 2 machines, 1x Debian 7 ( and 1x CentOS 6.5 ( Both are vmware guests.
On both these machines I have made a tcpdump of some HTTP requests - just simple wgets.

On both machines I also have a snort install - from the rpm package and self compiled on the debian machine.
At first I was thinking the debian install was having problems detecting HTTP traffic, but it’s slightly different.

When I load the CentOS tcpdump in both installs, they both detect HTTP GET Requests.
When I load the debian tcpdump in both installs, neither detects HTTP GET Requests.

I’ve attached the tcpdumps (if that works to the mailing list, otherwise I’ll host them somewhere), can anybody help me find out what is different?

Note that the same thing happened in the (a bit older) snort version + config in the debian package manager.

Config for the debian machine: http://paste.debian.net/99908/
Config for the centos machine: http://paste.debian.net/99909/
They should be similar except for paths. Most rules should be disabled, this is just about the http inspect preprocessor detecting the correct methods.

I have output logs for the following commands: 

root at ...16853...:/home/esmulders/snort- /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-debian.pcap &> snort-debianpcap.log
root at ...16853...:/home/esmulders/snort- /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-centos.pcap &> snort-centospcap.log

snort-debianpcap.log: http://paste.debian.net/99910/
snort-centospcap.log: http://paste.debian.net/99911/

In these outputs the relevant lines are:
GET methods:                          0 
GET methods:                          10

Can somebody help me debug this? Let me know if you have debugging tips or if I can provide some more information.
I’m available on Freenode/#snort as Dutchy for direct communication (european timezone/business hours work best for me).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-centos.pcap
Type: application/octet-stream
Size: 52172 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140516/5d93329c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-debian.pcap
Type: application/octet-stream
Size: 13184 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140516/5d93329c/attachment-0001.obj>
-------------- next part --------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140516/5d93329c/attachment.sig>

More information about the Snort-users mailing list