[Snort-users] no http traffic detected at all

Edwin Smulders edwin.smulders at ...16852...
Tue May 20 05:59:16 EDT 2014


I hate to follow-up on this, but I’m having the same problem again.

This time I have a vmware guest with 2 network interfaces, and I’m capturing on eth1. I’ve made a pcap using tcpdump on -i eth1 port 80 and I load this in my confirmed working snort setup on the other machine.
This gives exactly the same result as I had originally, no HTTP packets detected whatsoever.

Here’s my ethtool output, http://paste.debian.net/100767/
I’ve turned off everything I was able to turn off, but it had no effect.

What am I doing wrong?


On 16 May 2014, at 13:46, Edwin Smulders <edwin.smulders at ...16852...> wrote:

> I had tried -k none earlier without results. However, the combination of your suggestions fixed my issue, thanks James, Doug!
> 
> 
> On 16 May 2014, at 13:40, James Lay <jlay at ...13475...> wrote:
> 
>> On Fri, 2014-05-16 at 12:04 +0200, Edwin Smulders wrote:
>>> Hello,
>>> 
>>> I have a problem I would like some help with, the http inspect preprocessor is not correctly identifying http methods. In my test setup I have 2 machines, 1x Debian 7 (192.168.10.105) and 1x CentOS 6.5 (192.168.10.107). Both are vmware guests.
>>> On both these machines I have made a tcpdump of some HTTP requests - just simple wgets.
>>> 
>>> On both machines I also have a snort install - 2.9.6.1 from the rpm package and self compiled on the debian machine.
>>> At first I was thinking the debian install was having problems detecting HTTP traffic, but it’s slightly different.
>>> 
>>> When I load the CentOS tcpdump in both installs, they both detect HTTP GET Requests.
>>> When I load the debian tcpdump in both installs, neither detects HTTP GET Requests.
>>> 
>>> I’ve attached the tcpdumps (if that works to the mailing list, otherwise I’ll host them somewhere), can anybody help me find out what is different?
>>> 
>>> Note that the same thing happened in the (a bit older) snort version + config in the debian package manager.
>>> 
>>> Config for the debian machine: 
>>> http://paste.debian.net/99908/
>>> 
>>> Config for the centos machine: 
>>> http://paste.debian.net/99909/
>>> 
>>> They should be similar except for paths. Most rules should be disabled, this is just about the http inspect preprocessor detecting the correct methods.
>>> 
>>> I have output logs for the following commands: 
>>> 
>>> root at ...16853...:/home/esmulders/snort-2.9.6.1# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-debian.pcap &> snort-debianpcap.log
>>> root at ...16853...:/home/esmulders/snort-2.9.6.1# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r http-centos.pcap &> snort-centospcap.log
>>> 
>>> snort-debianpcap.log: 
>>> http://paste.debian.net/99910/
>>> 
>>> snort-centospcap.log: 
>>> http://paste.debian.net/99911/
>>> 
>>> 
>>> In these outputs the relevant lines are:
>>> GET methods:                          0 
>>> and
>>> GET methods:                          10
>>> 
>>> Can somebody help me debug this? Let me know if you have debugging tips or if I can provide some more information.
>>> I’m available on Freenode/#snort as Dutchy for direct communication (european timezone/business hours work best for me).
>>> 
>>> 
>>> Regards,
>>> Edwin
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> Instantly run your Selenium tests across 300+ browser/OS combos.
>>> Get unparalleled scalability from the best Selenium testing platform available
>>> Simple to use. Nothing to install. Get started now for free."
>>> 
>>> http://p.sf.net/sfu/SauceLabs
>>> 
>>> _______________________________________________
>>> Snort-users mailing list
>>> 
>>> Snort-users at lists.sourceforge.net
>>> 
>>> Go to this URL to change user options or unsubscribe:
>>> 
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> 
>>> Snort-users list archive:
>>> 
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> 
>>> Please visit 
>>> http://blog.snort.org
>>> to stay current on all the latest Snort news!
>>> 
>> 
>> Add "-k none" to your read and capture lines....checksum issue.
>> 
>> James
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos.
>> Get unparalleled scalability from the best Selenium testing platform available
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140520/3ce902f9/attachment.sig>


More information about the Snort-users mailing list