[Snort-users] http_inspect missing requests
felix.erlacher at ...17726...
Fri Feb 3 13:27:45 EST 2017
I have a pcap trace containing HTTP traffic. I began to wonder because
Snort did not trigger all alerts I was expecting. So I extracted the TCP
stream in question and looked at it more closely. My impression is that
for some reason the HTTP preprocessor is not parsing all GET requests.
If I load this trace in Wireshark, than "follow TCP stream", it shows me
10 GET requests.
If I use ngrep to manually inspect the trace, I count 10 GET requests as
But the HTTP Inspect preprocessor of Snort tells me it found only 7 GET
What could possibly be the problem?
Some peculiarities of the trace:
Heavy usage of HTTP/1.1 pipelining
While Wireshark and the Snort DAQ tell me they processed 13 packets,
HTTP inspect tells me it processed 17 packets.
This trace contains checksum errors and a tcp RST in the last packet.
I am using Snort 220.127.116.11 with snort.conf from tarball and "-k none" switch.
I would be happy to share the trace, but for privacy reasons I don't
want to do that on the list. In case someone wants to take a look, just
drop me a mail.
thanks and greetings
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the Snort-users