[Snort-users] snort3: problem with http_inspect

Marcin Dulak marcin.dulak at ...11827...
Sun Feb 26 09:25:49 EST 2017


The problem still there when replaying pcap, using build 227
https://github.com/snortadmin/snort3/commit/89bae69d5cd980ae56ef0322b6ef7cca87a75cf2
I'm attaching the pcap, and the outputs of http_inspect/http_server:
# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
--daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path
/usr/lib64/snort_extra -R /etc/snort/rules/snort.rules -r test.pcap -A
alert_fast -d

The rules are the same as before:
# cat /etc/snort/rules/snort.rules
alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;
http_uri; content:"/test"; sid:3000001;)
alert tcp any any -> any 80 (msg:"test"; http_uri; content:"/test";
sid:3000002;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
http_method; content: "GET"; sid:4000001;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
http_method; sid:4000002;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; content:
"GET"; sid:4000003;)

To reproduce from a CentOS7 VM:

# cat /etc/yum.repos.d/copr-marcindulak-snort.repo
[copr-marcindulak-snort]
name=copr-marcindulak-snort
baseurl=
https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch
enabled=1
gpgcheck=1
gpgkey=
https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg

# yum -y install snort snort-extra

Marcin



On Sun, Feb 26, 2017 at 2:33 AM, Al Lewis (allewi) <allewi at ...589...> wrote:

> I am using the default snort.lua (with http_inspect enabled). You really
> should have those comments removed for http inspection to work properly.
>
> You can try running snort with the daq dump enabled to see the packets
> handled by snort.
>
> Also check to see if the correct number of packets are in the exit stats
> (and not discarded).
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...589...
>
> From: Marcin Dulak <marcin.dulak at ...11827...>
> Date: Saturday, February 25, 2017 at 6:19 PM
> To: allewi <allewi at ...589...>
> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] snort3: problem with http_inspect
>
>
>
> On Sat, Feb 25, 2017 at 11:24 PM, Al Lewis (allewi) <allewi at ...589...>
> wrote:
>
>> Hello,
>>
>>         I
>
> think you need to uncomment http_inspect “remove the dashes from in front
>> of it”
>>
>
> the behavior of http_inspect I described was without any dashes, with the
> default snort.lua from github.
> I have tested whether the lua comment "--" makes any difference and it
> does not - I mean dashes are treated as a comment.
>
> -- http_inspect = { }
> http_server = { }
>
> Are you using the default lua files from github? Or maybe the few last
> commits since https://github.com/snortadmin/snort3/commit/
> a9f9bd38ced24da8196746074ef60a73d3bf0438 could have changed something?
> Or maybe related to hyperscan, which I'm not using?
>
> Marcin
>
>
>>
>> It alerts for me.
>>
>>
>> ALLEWI-M-8257:snort3 allewi$ ./bin/snort -c etc/snort/marcin.lua -r
>> /tmp/TEST.pcap -Acmg -k none -q
>> 02/25-16:54:57.819915 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP}
>> 192.168.1.128:53687 -> 74.125.196.99:80
>> - - - stream_tcp[58]- - - - - - - - - - - - - - - - - - - - - - - - -
>> 48 6F 73 74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65  Host: www.google
>> 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74  .com..User-Agent
>> 3A 20 63 75 72 6C 2F 37 2E 34 33 2E 30 0D 0A 41  : curl/7.43.0..A
>> 63 63 65 70 74 3A 20 2A 2F 2A                    ccept: */*
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>
>> ALLEWI-M-8257:snort3 allewi$ cat etc/snort/marcin.lua | grep alert
>>         alert tcp any any -> any 80 (msg:"test";
>> flow:to_server,established;http_uri; content:"/test"; sid:3000001;)
>> ALLEWI-M-8257:snort3 allewi$
>>
>>
>>
>>
>>
>>
>> Albert Lewis
>> ENGINEER.SOFTWARE ENGINEERING
>> SOURCEfire, Inc. now part of Cisco
>> Email: allewi at ...589...
>>
>>
>>
>>
>>
>>
>>
>>
>> On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak at ...11827...> wrote:
>>
>> >Hi,
>> >
>> >I have a problem with http_inspect,
>> >https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da
>> 8196746074ef60a73d3bf0438
>> >
>> >I make an HTTP request against the machine running snort/nfqueue:
>> >
>> ># curl -s -m 1 http://192.168.17.30/test
>> >
>> >and expect my sid:3000001 (see below) to be triggered, but only
>> sid:4000003
>> >is triggered instead.
>> >My question is what am I missing to trigger sid:3000001 with the new
>> >http_inspect?
>> >
>> >Now, when in /etc/snort/snort.lua I use
>> >-- http_inspect = { }
>> >http_server = { }
>> >
>> >then all but sid:4000001 are triggered:
>> >
>> ># u2spewfoo /var/log/snort/unified2.log.1488047835 | grep "sig id"
>> >    sig id: 4000003    gen id: 1    revision: 0     classification: 0
>> >    sig id: 3000002    gen id: 1    revision: 0     classification: 0
>> >    sig id: 3000001    gen id: 1    revision: 0     classification: 0
>> >    sig id: 4000002    gen id: 1    revision: 0     classification: 0
>> >
>> >I see the unified2 log contains also (ExtraDataHdr) (ExtraData)
>> >and only two events get parsed by py-idstools, which I normally use with
>> >snort2:
>> >
>> ># idstools-u2json /vagrant/unified2.log.1488047835 | grep signature
>> >WARNING: No alert message map entries loaded.
>> >WARNING: No classifications loaded.
>> >ERROR: Unknown record type: 3
>> >{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
>> >"sensor-id": 0, "event-id": 1, "classification-id": 0, "sport-itype":
>> >40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
>> >"event-microsecond": 283661, "protocol": 6, "destination-ip":
>> >"192.168.17.30", "blocked": 0, "signature-id": 4000003, "priority": 0,
>> >"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip":
>> "192.168.17.20"}}
>> >{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
>> >"sensor-id": 0, "event-id": 2, "classification-id": 0, "sport-itype":
>> >40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
>> >"event-microsecond": 283661, "protocol": 255, "destination-ip":
>> >"192.168.17.30", "blocked": 0, "signature-id": 3000002, "priority": 0,
>> >"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip":
>> "192.168.17.20"}}
>> >
>> >Snort running as:
>> >
>> ># xargs -0 < /proc/`pidof snort`/cmdline
>> >/usr/sbin/snort -d -Q --daq-dir /usr/lib64/daq --daq nfq -l
>> /var/log/snort
>> >-c /etc/snort/snort.lua -A unified2 -v -X --plugin-path
>> >/usr/lib64/snort_extra -k none
>> >
>> ># iptables-save
>> >*filter
>> >:INPUT ACCEPT [5428:45165731]
>> >:FORWARD ACCEPT [0:0]
>> >:OUTPUT ACCEPT [4796:239048]
>> >-A INPUT -i enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
>> >-A OUTPUT -o enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
>> >COMMIT
>> >
>> >The only difference compared to the github's lua files is in
>> >/etc/snort/snort_defaults.lua
>> >
>> ># diff snort3/lua/snort_defaults.lua /etc/snort/snort_defaults.lua
>> >32a33,35
>> >> RULE_PATH = conf_dir .. '/rules'
>> >> ips = { include = RULE_PATH .. '/snort.rules' }
>> >>
>> >
>> >and the rules as follows:
>> >
>> ># cat /etc/snort/rules/snort.rules
>> >alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;
>> >http_uri; content:"/test"; sid:3000001;)
>> >alert tcp any any -> any 80 (msg:"test"; http_uri; content:"/test";
>> >sid:3000002;)
>> >alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
>> >http_method; content: "GET"; sid:4000001;)
>> >alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
>> >http_method; sid:4000002;)
>> >alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
>> content:
>> >"GET"; sid:4000003;)
>> >
>> >
>> >Marcin
>> >-----------------------------------------------------------
>> -------------------
>> >Check out the vibrant tech community on one of the world's most
>> >engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> >_______________________________________________
>> >Snort-users mailing list
>> >Snort-users at lists.sourceforge.net
>> >Go to this URL to change user options or unsubscribe:
>> >https://lists.sourceforge.net/lists/listinfo/snort-users
>> >Snort-users list archive:
>> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> >Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
--------------------------------------------------
o")~   Snort++ 3.0.0-a4-227
--------------------------------------------------
Loading /etc/snort/snort.lua:
	ssh
	rpc_decode
	pop
	stream_user
	stream_tcp
	smtp
	ssl
	gtp_inspect
	stream_ip
	appid
	stream_icmp
	reputation
	stream_udp
	file_id
	back_orifice
	classifications
	port_scan
	dnp3
	ftp_data
	ftp_server
	telnet
	ftp_client
	http_inspect
	stream
	references
	arp_spoof
	sip
	wizard
	dns
	imap
	stream_file
Finished /etc/snort/snort.lua.
Loading rules:
Loading /etc/snort/rules/snort.rules:
Finished /etc/snort/rules/snort.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 5
               text rules: 5
            option chains: 5
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     dst       5       0       0       0
   total       5       0       0       0
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:        0       1       0
                      key:        0       1       0
--------------------------------------------------
search engine
                instances: 3
                 patterns: 20
            pattern chars: 103
               num states: 91
         num match states: 19
             memory scale: KB
             total memory: 6.59375
           pattern memory: 0.878906
        match list memory: 1.33594
        transition memory: 4.00391
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] /vagrant/test.pcap
02/26-13:19:45.017007 [**] [1:4000003:0] "LOCAL http_method test for GET" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80
192.168.17.20:34616 -> 192.168.17.30:80
TCP TTL:64 TOS:0x0 ID:36956 IpLen:20 DgmLen:133 DF
***AP*** Seq: 0x47CF898D  Ack: 0x70FAE267  Win: 0x1C9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 85858776 86238562
- - - raw[81] - - - - - - - - - - - - - - - - - - - - - - - - - - - -
47 45 54 20 2F 74 65 73 74 20 48 54 54 50 2F 31  GET /test HTTP/1
2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  .1..User-Agent: 
63 75 72 6C 2F 37 2E 32 39 2E 30 0D 0A 48 6F 73  curl/7.29.0..Hos
74 3A 20 31 39 32 2E 31 36 38 2E 31 37 2E 33 30  t: 192.168.17.30
0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D  ..Accept: */*...
0A                                               .
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- [0] /vagrant/test.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 10
                 analyzed: 10
                    allow: 10
--------------------------------------------------
codec
                    total: 10          	(100.000%)
                      eth: 10          	(100.000%)
                     ipv4: 10          	(100.000%)
                      tcp: 10          	(100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 10
               hard_evals: 7
             raw_searches: 1
          cooked_searches: 1
             pkt_searches: 2
             key_searches: 1
             total_alerts: 1
                   logged: 1
--------------------------------------------------
search_engine
               max_queued: 1
            total_inserts: 2
             total_unique: 2
     non_qualified_events: 8
         qualified_events: 1
--------------------------------------------------
host_tracker
             service_adds: 1
--------------------------------------------------
host_cache
           lru_cache_adds: 1
    lru_cache_find_misses: 1
--------------------------------------------------
appid
                  packets: 4
        processed_packets: 4
               http_flows: 1
--------------------------------------------------
binder
                  packets: 1
                 inspects: 1
--------------------------------------------------
file_id
              total_files: 1
          total_file_data: 202
--------------------------------------------------
http_inspect
                    flows: 1
                    scans: 5
              reassembles: 5
              inspections: 5
                 requests: 1
                responses: 1
             get_requests: 1
--------------------------------------------------
port_scan_global
                  packets: 10
--------------------------------------------------
reputation
                  packets: 1
--------------------------------------------------
stream
                tcp_flows: 1
--------------------------------------------------
stream_tcp
                 sessions: 1
                      max: 1
                  created: 1
                 released: 1
             syn_trackers: 1
              segs_queued: 5
            segs_released: 5
               segs_split: 3
                segs_used: 5
          rebuilt_packets: 2
          rebuilt_buffers: 3
            rebuilt_bytes: 263
--------------------------------------------------
wizard
                tcp_scans: 1
                 tcp_hits: 1
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.143906
                  packets: 10
                 pkts/sec: 10
o")~   Snort exiting
-------------- next part --------------
--------------------------------------------------
o")~   Snort++ 3.0.0-a4-227
--------------------------------------------------
Loading /etc/snort/snort.lua:
	ssh
	rpc_decode
	pop
	stream_user
	stream_tcp
	smtp
	ssl
	gtp_inspect
	stream_ip
	appid
	stream_icmp
	reputation
	stream_udp
	http_server
	file_id
	back_orifice
	classifications
	port_scan
	dnp3
	ftp_data
	ftp_server
	telnet
	ftp_client
	stream
	references
	arp_spoof
	sip
	wizard
	dns
	imap
	stream_file
Finished /etc/snort/snort.lua.
Loading rules:
Loading /etc/snort/rules/snort.rules:
Finished /etc/snort/rules/snort.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 5
               text rules: 5
            option chains: 5
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     dst       5       0       0       0
   total       5       0       0       0
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:        0       1       0
                      key:        0       1       0
--------------------------------------------------
search engine
                instances: 3
                 patterns: 20
            pattern chars: 103
               num states: 91
         num match states: 19
             memory scale: KB
             total memory: 6.59375
           pattern memory: 0.878906
        match list memory: 1.33594
        transition memory: 4.00391
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] /vagrant/test.pcap
02/26-13:19:45.017007 [**] [1:4000003:0] "LOCAL http_method test for GET" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80
192.168.17.20:34616 -> 192.168.17.30:80
TCP TTL:64 TOS:0x0 ID:36956 IpLen:20 DgmLen:133 DF
***AP*** Seq: 0x47CF898D  Ack: 0x70FAE267  Win: 0x1C9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 85858776 86238562
- - - raw[81] - - - - - - - - - - - - - - - - - - - - - - - - - - - -
47 45 54 20 2F 74 65 73 74 20 48 54 54 50 2F 31  GET /test HTTP/1
2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  .1..User-Agent: 
63 75 72 6C 2F 37 2E 32 39 2E 30 0D 0A 48 6F 73  curl/7.29.0..Hos
74 3A 20 31 39 32 2E 31 36 38 2E 31 37 2E 33 30  t: 192.168.17.30
0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D  ..Accept: */*...
0A                                               .
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

02/26-13:19:45.017007 [**] [1:3000002:0] "test" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80
- - - stream_tcp[81]- - - - - - - - - - - - - - - - - - - - - - - - -
47 45 54 20 2F 74 65 73 74 20 48 54 54 50 2F 31  GET /test HTTP/1
2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  .1..User-Agent: 
63 75 72 6C 2F 37 2E 32 39 2E 30 0D 0A 48 6F 73  curl/7.29.0..Hos
74 3A 20 31 39 32 2E 31 36 38 2E 31 37 2E 33 30  t: 192.168.17.30
0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D  ..Accept: */*...
0A                                               .
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

02/26-13:19:45.017007 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80
- - - stream_tcp[81]- - - - - - - - - - - - - - - - - - - - - - - - -
47 45 54 20 2F 74 65 73 74 20 48 54 54 50 2F 31  GET /test HTTP/1
2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  .1..User-Agent: 
63 75 72 6C 2F 37 2E 32 39 2E 30 0D 0A 48 6F 73  curl/7.29.0..Hos
74 3A 20 31 39 32 2E 31 36 38 2E 31 37 2E 33 30  t: 192.168.17.30
0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D  ..Accept: */*...
0A                                               .
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

02/26-13:19:45.017007 [**] [1:4000002:0] "LOCAL http_method test for GET" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80
- - - stream_tcp[81]- - - - - - - - - - - - - - - - - - - - - - - - -
47 45 54 20 2F 74 65 73 74 20 48 54 54 50 2F 31  GET /test HTTP/1
2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  .1..User-Agent: 
63 75 72 6C 2F 37 2E 32 39 2E 30 0D 0A 48 6F 73  curl/7.29.0..Hos
74 3A 20 31 39 32 2E 31 36 38 2E 31 37 2E 33 30  t: 192.168.17.30
0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D  ..Accept: */*...
0A                                               .
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- [0] /vagrant/test.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 10
                 analyzed: 10
                    allow: 10
--------------------------------------------------
codec
                    total: 10          	(100.000%)
                      eth: 10          	(100.000%)
                     ipv4: 10          	(100.000%)
                      tcp: 10          	(100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 10
               hard_evals: 7
             raw_searches: 1
          cooked_searches: 1
             pkt_searches: 2
             key_searches: 1
             total_alerts: 4
                   logged: 4
                log_limit: 1
              alert_limit: 1
--------------------------------------------------
search_engine
               max_queued: 1
            total_inserts: 3
             total_unique: 3
     non_qualified_events: 6
         qualified_events: 4
--------------------------------------------------
host_tracker
             service_adds: 1
--------------------------------------------------
host_cache
           lru_cache_adds: 1
    lru_cache_find_misses: 1
--------------------------------------------------
appid
                  packets: 4
        processed_packets: 4
--------------------------------------------------
binder
                  packets: 1
                 inspects: 1
--------------------------------------------------
file_id
              total_files: 1
          total_file_data: 202
--------------------------------------------------
http_global
                  packets: 2
                     gets: 1
          request_headers: 1
         response_headers: 1
--------------------------------------------------
port_scan_global
                  packets: 10
--------------------------------------------------
reputation
                  packets: 1
--------------------------------------------------
stream
                tcp_flows: 1
--------------------------------------------------
stream_tcp
                 sessions: 1
                      max: 1
                  created: 1
                 released: 1
             syn_trackers: 1
              segs_queued: 2
            segs_released: 2
                segs_used: 2
          rebuilt_packets: 2
            rebuilt_bytes: 443
--------------------------------------------------
wizard
                tcp_scans: 1
                 tcp_hits: 1
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.141575
                  packets: 10
                 pkts/sec: 10
o")~   Snort exiting


More information about the Snort-users mailing list