[Snort-users] (http_inspect) UNKNOWN METHOD error on squid

James Lay jlay at ...13475...
Wed Mar 4 08:55:19 EST 2015


On Wed, 2015-03-04 at 12:17 +0000, Terry John wrote:
> It’s difficult to sanitise the data for public viewing unfortunately.
> But what I can say, from the squid logs, is that it is coming from a
> fisheye server connecting to a code repository service providing
> source code management. It connects successfully to port 443 of the
> destination server.
> 
>  
> 
> The data comes as a burst of 3 or 4 packets in a second waits about 15
> seconds then sends another burst of packets.
> 
>  
> 
> Sorry if it’s a bit vague
> 
>  
> 
> 
> From: Al Lewis (allewi) [mailto:allewi at ...589...] 
> Sent: 04 March 2015 11:22
> To: Terry John; snort-users
> Subject: RE: (http_inspect) UNKNOWN METHOD error on squid
> 
> 
> 
>  
> 
> Hello,
> 
>  
> 
> Can you provide a pcap of the traffic that is causing the alerts?
> 
>  
> 
> What this alert is telling you is that one of the http_methods used in
> the packet is either not in your preprocessor config or
> malformed/invalid.
> 
>  
> 
>  
> 
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEfire, Inc. now part ofCisco
> 
> 9780 Patuxent Woods Drive
> Columbia, MD 21046 
> 
> Phone: (office) 443.430.7112
> 
> Email:allewi at ...589... 
> 
> 
> 
>  
> 
> 
> From: Terry John
> [mailto:Terry.John at ...16850...] 
> Sent: Wednesday, March 04, 2015 5:52 AM
> To: snort-users
> Subject: [Snort-users] (http_inspect) UNKNOWN METHOD error on squid
> 
> 
> 
>  
> 
> I am trying to work out how to stop of thousands of false positives
> caused by access to squid proxy on port 3128. Here is a typical error.
> 
>  
> 
> [119:31:1] (http_inspect) UNKNOWN METHOD [**]
> 
> [Classification: Unknown Traffic] [Priority: 3] <date>-<time>
> <src_ip>:35360 -> <squid_server_ip>:3128
> 
> TCP TTL:128 TOS:0x0 ID:87051 IpLen:20 DgmLen:775 DF
> 
> ***A**** Seq: 0x126F0768 Ack: 0x859E62D4 Win: 0x4980 TcpLen: 32
> 
>  
> 
> Here is what I think  is the relevant section of the pre-processor
> declaration
> 
>  
> 
> preprocessor http_inspect_server: server default \
> 
>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK
> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
> TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST
> SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
> 
>     allow_proxy_use \
> 
>     ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593
> 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381
> 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173
> 6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028
> 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300
> 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000
> 11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000
> 50002 51423 53331 55252 55555 56712 } \
> 
>  
> 
> I have a local rule to reduce the number of errors but I would rather
> not have to do that
> 
>  
> 
> # This is to reduce the number of 'unknown method' http alerts
> 
> event_filter gen_id 119, sig_id 31, type limit, track by_src, count 1,
> seconds 10
> 
>  
> 
> I feel that squid proxy is so common that there should be a standard
> setting for this but at the moment I just can’t find it.
> 
>  
> 
> If I delete port 3128 from the list of ports then the rule is not
> applied but I don’t think that is what we want.
> 
>  
> 
> Thanks
> 
>  
> 
> The Manheim group of companies within the UK comprises: Manheim Europe
> Limited (registered number: 03183918), Manheim Auctions Limited
> (registered number: 00448761), Manheim Retail Services Limited
> (registered number: 02838588), Motors.co.uk Limited (registered
> number: 05975777), Real Time Communications Limited (registered
> number: 04277845) and Complete Automotive Solutions Limited
> (registered number: 05302535). Each of these companies is registered
> in England and Wales with the registered office address of Central
> House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of
> companies operates under various brand/trading names including Manheim
> Inspection Services, Manheim Auctions, Manheim Direct, Manheim
> De-fleet and Manheim Aftersales Solutions. 
> 
> V:0CF72C13B2AC
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Prove the method squid is passing from the pcap...that should tell us if
it is indeed not passing a method in the list (I run squid on a snort
box and well and have not seen this before).

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150304/04db3792/attachment.html>


More information about the Snort-users mailing list