[Snort-users] HTTP preprocesor

Eugenio Perez eugenio at ...16842...
Mon Jan 26 12:23:59 EST 2015


Hi Everyone.

I don't know if HTTP preprocesor is working properly. Using Snort
2.9.7.0 and the attached pcap, and the next line to run snort:

    snort -v -e --pid-path /var/run -r 80.pcap -c
/etc/snort/snort.conf -l /var/log/snort/ --perfmon-file /dev/null
--treat-drop-as-alert --daq dump --daq-var load-mode=read-file -Q

I'm not able to see the HTTP response in the stats:
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          0
    HTTP Request Headers extracted:       0
    Avg Request Header length:            n/a
    HTTP Request Cookies extracted:       0
    Avg Request Cookie length:            n/a
    Post parameters extracted:            0
    HTTP response Headers extracted:      0
    Avg Response Header length:           0.00
    HTTP Response Cookies extracted:      0
    Avg Response Cookie length:           n/a
    Unicode:                              0
    Double unicode:                       0
    Non-ASCII representable:              0
    Directory traversals:                 0
    Extra slashes ("//"):                 0
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 0
    Gzip Compressed Data Processed:       n/a
    Gzip Decompressed Data Processed:     n/a
    Total packets processed:              1
===============================================================================

Following "http://seclists.org/snort/2013/q2/905", if I enable inline
mode operation (adding --daq dump --daq-var load-mode=read-file -Q), I
see that HTTP preprocesor can extract more info:

===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          0
    HTTP Request Headers extracted:       0
    Avg Request Header length:            n/a
    HTTP Request Cookies extracted:       0
    Avg Request Cookie length:            n/a
    Post parameters extracted:            0
    HTTP response Headers extracted:      1
    Avg Response Header length:           0.00
    HTTP Response Cookies extracted:      0
    Avg Response Cookie length:           n/a
    Unicode:                              0
    Double unicode:                       0
    Non-ASCII representable:              0
    Directory traversals:                 0
    Extra slashes ("//"):                 0
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 0
    Gzip Compressed Data Processed:       n/a
    Gzip Decompressed Data Processed:     n/a
    Total packets processed:              2
===============================================================================

However, my pcap is a full one (it includes syn, ack, fin, and all
packets needed to establish the TCP connection). Why HTTP preprocesor
is able to see more information in inline mode?

Thanks in advance, regards.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 80f.pcap
Type: application/vnd.tcpdump.pcap
Size: 1495 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150126/191b8a3e/attachment.pcap>


More information about the Snort-users mailing list