[Snort-users] no http traffic detected at all

James Lay jlay at ...13475...
Fri May 16 07:40:46 EDT 2014


On Fri, 2014-05-16 at 12:04 +0200, Edwin Smulders wrote:

> Hello,
> 
> I have a problem I would like some help with, the http inspect preprocessor is not correctly identifying http methods. In my test setup I have 2 machines, 1x Debian 7 (192.168.10.105) and 1x CentOS 6.5 (192.168.10.107). Both are vmware guests.
> On both these machines I have made a tcpdump of some HTTP requests - just simple wgets.
> 
> On both machines I also have a snort install - 2.9.6.1 from the rpm package and self compiled on the debian machine.
> At first I was thinking the debian install was having problems detecting HTTP traffic, but it’s slightly different.
> 
> When I load the CentOS tcpdump in both installs, they both detect HTTP GET Requests.
> When I load the debian tcpdump in both installs, neither detects HTTP GET Requests.
> 
> I’ve attached the tcpdumps (if that works to the mailing list, otherwise I’ll host them somewhere), can anybody help me find out what is different?
> 
> Note that the same thing happened in the (a bit older) snort version + config in the debian package manager.
> 
> Config for the debian machine: http://paste.debian.net/99908/
> Config for the centos machine: http://paste.debian.net/99909/
> They should be similar except for paths. Most rules should be disabled, this is just about the http inspect preprocessor detecting the correct methods.
> 
> I have output logs for the following commands: 
> 
> root at ...16853...:/home/esmulders/snort-2.9.6.1# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-debian.pcap &> snort-debianpcap.log
> root at ...16853...:/home/esmulders/snort-2.9.6.1# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-centos.pcap &> snort-centospcap.log
> 
> snort-debianpcap.log: http://paste.debian.net/99910/
> snort-centospcap.log: http://paste.debian.net/99911/
> 
> In these outputs the relevant lines are:
> GET methods:                          0 
> and
> GET methods:                          10
> 
> Can somebody help me debug this? Let me know if you have debugging tips or if I can provide some more information.
> I’m available on Freenode/#snort as Dutchy for direct communication (european timezone/business hours work best for me).
> 
> 
> Regards,
> Edwin
> 
> 
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Add "-k none" to your read and capture lines....checksum issue.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140516/d8468c77/attachment.html>


More information about the Snort-users mailing list