[Snort-users] no http traffic detected at all
jlay at ...13475...
Fri May 16 07:40:46 EDT 2014
On Fri, 2014-05-16 at 12:04 +0200, Edwin Smulders wrote:
> I have a problem I would like some help with, the http inspect preprocessor is not correctly identifying http methods. In my test setup I have 2 machines, 1x Debian 7 (192.168.10.105) and 1x CentOS 6.5 (192.168.10.107). Both are vmware guests.
> On both these machines I have made a tcpdump of some HTTP requests - just simple wgets.
> On both machines I also have a snort install - 126.96.36.199 from the rpm package and self compiled on the debian machine.
> At first I was thinking the debian install was having problems detecting HTTP traffic, but it’s slightly different.
> When I load the CentOS tcpdump in both installs, they both detect HTTP GET Requests.
> When I load the debian tcpdump in both installs, neither detects HTTP GET Requests.
> I’ve attached the tcpdumps (if that works to the mailing list, otherwise I’ll host them somewhere), can anybody help me find out what is different?
> Note that the same thing happened in the (a bit older) snort version + config in the debian package manager.
> Config for the debian machine: http://paste.debian.net/99908/
> Config for the centos machine: http://paste.debian.net/99909/
> They should be similar except for paths. Most rules should be disabled, this is just about the http inspect preprocessor detecting the correct methods.
> I have output logs for the following commands:
> root at ...16853...:/home/esmulders/snort-188.8.131.52# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-debian.pcap &> snort-debianpcap.log
> root at ...16853...:/home/esmulders/snort-184.108.40.206# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-centos.pcap &> snort-centospcap.log
> snort-debianpcap.log: http://paste.debian.net/99910/
> snort-centospcap.log: http://paste.debian.net/99911/
> In these outputs the relevant lines are:
> GET methods: 0
> GET methods: 10
> Can somebody help me debug this? Let me know if you have debugging tips or if I can provide some more information.
> I’m available on Freenode/#snort as Dutchy for direct communication (european timezone/business hours work best for me).
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
Add "-k none" to your read and capture lines....checksum issue.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users