[Snort-users] http_header not working

NIDS TEAM nidsteam at ...11827...
Mon Sep 29 07:52:20 EDT 2014


So I just compiled Snort with --enable-sourcefire.

Snort runs with the following rule:
alert tcp any any <> any any (msg:"TEST HOST alert"; content:"google";
http_uri; gid:1; sid:99999; rev:2;)

I then do one single request to www.google.com/mail

The following request is visible with Snort (I do not copy all the SYN/ACK
packets):

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/29-09:03:51.706262 213.156.231.85:38364 -> 173.194.32.210:80
TCP TTL:64 TOS:0x0 ID:60575 IpLen:20 DgmLen:170 DF
***AP*** Seq: 0xE1581B62  Ack: 0x746B8DA  Win: 0x73  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1809643521 4126477955
47 45 54 20 2F 6D 61 69 6C 20 48 54 54 50 2F 31  GET /mail HTTP/1
2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  .1..User-Agent:
57 67 65 74 2F 31 2E 31 33 2E 34 20 28 6C 69 6E  Wget/1.13.4 (lin
75 78 2D 67 6E 75 29 0D 0A 41 63 63 65 70 74 3A  ux-gnu)..Accept:
20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 77 77 77 2E   */*..Host: www.
67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E  google.com..Conn
65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69  ection: Keep-Ali
76 65 0D 0A 0D 0A                                ve....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The Preprocessor Profile Statistics shows:
  3              httpinspect     0          2          2
4       2.11          0.60         0.60

===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          0
    HTTP Request Headers extracted:       0
    HTTP Request Cookies extracted:       0
    Post parameters extracted:            0
    HTTP response Headers extracted:      0
    HTTP Response Cookies extracted:      0
    Unicode:                              0
    Double unicode:                       0
    Non-ASCII representable:              0
    Directory traversals:                 0
    Extra slashes ("//"):                 0
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 0
    Gzip Compressed Data Processed:       n/a
    Gzip Decompressed Data Processed:     n/a
    Total packets processed:              2

It looks like the http_inspect preprocessor doesn't do anything here,
besides passing the packet.

The http_inspect configuration is identical to:
http://labs.snort.org/snort/2962/snort.conf



On Fri, Sep 26, 2014 at 5:50 PM, Joel Esler (jesler) <jesler at ...589...>
wrote:

> I suggest you compile with —enable-sourcefire.
>
> That turns on all the things we usually troubleshoot with.
>
>
> > On Sep 26, 2014, at 11:46 AM, NIDS TEAM <nidsteam at ...11827...> wrote:
> >
> > No, but is there any dependency?
> >
> > These are the compile flags:
> >
> > ./configure \
> >                 --quiet \
> >                 --prefix=/opt/snort \
> >                 --enable-static=no \
> >                 --with-libpcap-includes=/opt/snort/include \
> >                 --with-libpcap-libraries=/opt/snort/lib \
> >                 --with-dnet-includes=/opt/snort/include \
> >                 --with-dnet-libraries=/opt/snort/lib \
> >                 --with-daq-includes=/opt/snort/include \
> >                 --with-daq-libraries=/opt/snort/lib \
> >                 --enable-reload \
> >                 --enable-reload-error-restart \
> >                 --enable-normalizer
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140929/426076be/attachment.html>


More information about the Snort-users mailing list