[Snort-users] snort3: problem with http_inspect

Marcin Dulak marcin.dulak at ...11827...
Sat Feb 25 18:19:38 EST 2017


On Sat, Feb 25, 2017 at 11:24 PM, Al Lewis (allewi) <allewi at ...589...>
wrote:

> Hello,
>
>         I

think you need to uncomment http_inspect “remove the dashes from in front
> of it”
>

the behavior of http_inspect I described was without any dashes, with the
default snort.lua from github.
I have tested whether the lua comment "--" makes any difference and it does
not - I mean dashes are treated as a comment.

-- http_inspect = { }
http_server = { }

Are you using the default lua files from github? Or maybe the few last
commits since
https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438
could have changed something?
Or maybe related to hyperscan, which I'm not using?

Marcin


>
> It alerts for me.
>
>
> ALLEWI-M-8257:snort3 allewi$ ./bin/snort -c etc/snort/marcin.lua -r
> /tmp/TEST.pcap -Acmg -k none -q
> 02/25-16:54:57.819915 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP}
> 192.168.1.128:53687 -> 74.125.196.99:80
> - - - stream_tcp[58]- - - - - - - - - - - - - - - - - - - - - - - - -
> 48 6F 73 74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65  Host: www.google
> 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74  .com..User-Agent
> 3A 20 63 75 72 6C 2F 37 2E 34 33 2E 30 0D 0A 41  : curl/7.43.0..A
> 63 63 65 70 74 3A 20 2A 2F 2A                    ccept: */*
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> ALLEWI-M-8257:snort3 allewi$ cat etc/snort/marcin.lua | grep alert
>         alert tcp any any -> any 80 (msg:"test";
> flow:to_server,established;http_uri; content:"/test"; sid:3000001;)
> ALLEWI-M-8257:snort3 allewi$
>
>
>
>
>
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi at ...589...
>
>
>
>
>
>
>
>
> On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak at ...11827...> wrote:
>
> >Hi,
> >
> >I have a problem with http_inspect,
> >https://github.com/snortadmin/snort3/commit/
> a9f9bd38ced24da8196746074ef60a73d3bf0438
> >
> >I make an HTTP request against the machine running snort/nfqueue:
> >
> ># curl -s -m 1 http://192.168.17.30/test
> >
> >and expect my sid:3000001 (see below) to be triggered, but only
> sid:4000003
> >is triggered instead.
> >My question is what am I missing to trigger sid:3000001 with the new
> >http_inspect?
> >
> >Now, when in /etc/snort/snort.lua I use
> >-- http_inspect = { }
> >http_server = { }
> >
> >then all but sid:4000001 are triggered:
> >
> ># u2spewfoo /var/log/snort/unified2.log.1488047835 | grep "sig id"
> >    sig id: 4000003    gen id: 1    revision: 0     classification: 0
> >    sig id: 3000002    gen id: 1    revision: 0     classification: 0
> >    sig id: 3000001    gen id: 1    revision: 0     classification: 0
> >    sig id: 4000002    gen id: 1    revision: 0     classification: 0
> >
> >I see the unified2 log contains also (ExtraDataHdr) (ExtraData)
> >and only two events get parsed by py-idstools, which I normally use with
> >snort2:
> >
> ># idstools-u2json /vagrant/unified2.log.1488047835 | grep signature
> >WARNING: No alert message map entries loaded.
> >WARNING: No classifications loaded.
> >ERROR: Unknown record type: 3
> >{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
> >"sensor-id": 0, "event-id": 1, "classification-id": 0, "sport-itype":
> >40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
> >"event-microsecond": 283661, "protocol": 6, "destination-ip":
> >"192.168.17.30", "blocked": 0, "signature-id": 4000003, "priority": 0,
> >"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip":
> "192.168.17.20"}}
> >{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
> >"sensor-id": 0, "event-id": 2, "classification-id": 0, "sport-itype":
> >40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
> >"event-microsecond": 283661, "protocol": 255, "destination-ip":
> >"192.168.17.30", "blocked": 0, "signature-id": 3000002, "priority": 0,
> >"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip":
> "192.168.17.20"}}
> >
> >Snort running as:
> >
> ># xargs -0 < /proc/`pidof snort`/cmdline
> >/usr/sbin/snort -d -Q --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort
> >-c /etc/snort/snort.lua -A unified2 -v -X --plugin-path
> >/usr/lib64/snort_extra -k none
> >
> ># iptables-save
> >*filter
> >:INPUT ACCEPT [5428:45165731]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [4796:239048]
> >-A INPUT -i enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
> >-A OUTPUT -o enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
> >COMMIT
> >
> >The only difference compared to the github's lua files is in
> >/etc/snort/snort_defaults.lua
> >
> ># diff snort3/lua/snort_defaults.lua /etc/snort/snort_defaults.lua
> >32a33,35
> >> RULE_PATH = conf_dir .. '/rules'
> >> ips = { include = RULE_PATH .. '/snort.rules' }
> >>
> >
> >and the rules as follows:
> >
> ># cat /etc/snort/rules/snort.rules
> >alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;
> >http_uri; content:"/test"; sid:3000001;)
> >alert tcp any any -> any 80 (msg:"test"; http_uri; content:"/test";
> >sid:3000002;)
> >alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
> >http_method; content: "GET"; sid:4000001;)
> >alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
> >http_method; sid:4000002;)
> >alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
> content:
> >"GET"; sid:4000003;)
> >
> >
> >Marcin
> >-----------------------------------------------------------
> -------------------
> >Check out the vibrant tech community on one of the world's most
> >engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> >Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



More information about the Snort-users mailing list