[Snort-users] HTTP preprocesor

James Lay jlay at ...13475...
Mon Jan 26 13:01:20 EST 2015


On 2015-01-26 10:23 AM, Eugenio Perez wrote:
> Hi Everyone.
>
> I don't know if HTTP preprocesor is working properly. Using Snort
> 2.9.7.0 and the attached pcap, and the next line to run snort:
>
>     snort -v -e --pid-path /var/run -r 80.pcap -c
> /etc/snort/snort.conf -l /var/log/snort/ --perfmon-file /dev/null
> --treat-drop-as-alert --daq dump --daq-var load-mode=read-file -Q
>
> I'm not able to see the HTTP response in the stats:
> 
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          0
>     HTTP Request Headers extracted:       0
>     Avg Request Header length:            n/a
>     HTTP Request Cookies extracted:       0
>     Avg Request Cookie length:            n/a
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      0
>     Avg Response Header length:           0.00
>     HTTP Response Cookies extracted:      0
>     Avg Response Cookie length:           n/a
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              1
> 
> ===============================================================================
>
> Following "http://seclists.org/snort/2013/q2/905", if I enable inline
> mode operation (adding --daq dump --daq-var load-mode=read-file -Q), 
> I
> see that HTTP preprocesor can extract more info:
>
> 
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          0
>     HTTP Request Headers extracted:       0
>     Avg Request Header length:            n/a
>     HTTP Request Cookies extracted:       0
>     Avg Request Cookie length:            n/a
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      1
>     Avg Response Header length:           0.00
>     HTTP Response Cookies extracted:      0
>     Avg Response Cookie length:           n/a
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              2
> 
> ===============================================================================
>
> However, my pcap is a full one (it includes syn, ack, fin, and all
> packets needed to establish the TCP connection). Why HTTP preprocesor
> is able to see more information in inline mode?
>
> Thanks in advance, regards.

Add -k none to the run line and see what the results are.

James




More information about the Snort-users mailing list