[Snort-users] HTTP preprocesor

Eugenio Perez eugenio at ...16842...
Tue Jan 27 03:32:17 EST 2015


Hi James and Lewis.

You both are right, what a dumb failure! Checksum offloading cheated me.

Thanks for your help!

2015-01-26 19:05 GMT+01:00 Al Lewis (allewi) <allewi at ...589...>:
> Try running with the "-k none" option. The pcap you have has bad checksums.
>
>
> Without -k
>
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          0
>     HTTP Request Headers extracted:       0
>     HTTP Request Cookies extracted:       0
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      0
>     HTTP Response Cookies extracted:      0
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              1
> ===============================================================================
>
>
> Ignoring checksums:
>
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          1
>     HTTP Request Headers extracted:       1
>     HTTP Request Cookies extracted:       0
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      1
>     HTTP Response Cookies extracted:      0
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              4
> ===============================================================================
>
>
>
> As you can see more packets are processed and snort actually sees the "Get".
>
>
> Hope this helps.
>
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
>
> -----Original Message-----
> From: Eugenio Perez [mailto:eugenio at ...16842...]
> Sent: Monday, January 26, 2015 12:24 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] HTTP preprocesor
>
> Hi Everyone.
>
> I don't know if HTTP preprocesor is working properly. Using Snort
> 2.9.7.0 and the attached pcap, and the next line to run snort:
>
>     snort -v -e --pid-path /var/run -r 80.pcap -c /etc/snort/snort.conf -l /var/log/snort/ --perfmon-file /dev/null --treat-drop-as-alert --daq dump --daq-var load-mode=read-file -Q
>
> I'm not able to see the HTTP response in the stats:
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          0
>     HTTP Request Headers extracted:       0
>     Avg Request Header length:            n/a
>     HTTP Request Cookies extracted:       0
>     Avg Request Cookie length:            n/a
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      0
>     Avg Response Header length:           0.00
>     HTTP Response Cookies extracted:      0
>     Avg Response Cookie length:           n/a
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              1
> ===============================================================================
>
> Following "http://seclists.org/snort/2013/q2/905", if I enable inline mode operation (adding --daq dump --daq-var load-mode=read-file -Q), I see that HTTP preprocesor can extract more info:
>
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          0
>     HTTP Request Headers extracted:       0
>     Avg Request Header length:            n/a
>     HTTP Request Cookies extracted:       0
>     Avg Request Cookie length:            n/a
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      1
>     Avg Response Header length:           0.00
>     HTTP Response Cookies extracted:      0
>     Avg Response Cookie length:           n/a
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              2
> ===============================================================================
>
> However, my pcap is a full one (it includes syn, ack, fin, and all packets needed to establish the TCP connection). Why HTTP preprocesor is able to see more information in inline mode?
>
> Thanks in advance, regards.




More information about the Snort-users mailing list