[Snort-users] http_inspect missing requests

Felix Erlacher felix.erlacher at ...17726...
Fri Feb 3 13:27:45 EST 2017


Hi all,

I have a pcap trace containing HTTP traffic. I began to wonder because
Snort did not trigger all alerts I was expecting. So I extracted the TCP
stream in question and looked at it more closely. My impression is that
for some reason the HTTP preprocessor is not parsing all GET requests.
If I load this trace in Wireshark, than "follow TCP stream", it shows me
10 GET requests.
If I use ngrep to manually inspect the trace, I count 10 GET requests as
well.

But the HTTP Inspect preprocessor of Snort tells me it found only 7 GET
requests?!
What could possibly be the problem?

Some peculiarities of the trace:
Heavy usage of HTTP/1.1 pipelining
While Wireshark and the Snort DAQ tell me they processed 13 packets,
HTTP inspect tells me it processed 17 packets.
This trace contains checksum errors and a tcp RST in the last packet.

I am using Snort 2.9.9.0 with snort.conf from tarball and "-k none" switch.

I would be happy to share the trace, but for privacy reasons I don't
want to do that on the list. In case someone wants to take a look, just
drop me a mail.

thanks and greetings
-- 
Felix Erlacher
ccs-labs.org/~erlacher

Key-ID:4EAC0959




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170203/5a9257ca/attachment.sig>


More information about the Snort-users mailing list