[Snort-users] snort3: problem with http_inspect

Al Lewis (allewi) allewi at ...589...
Sun Feb 26 13:17:36 EST 2017


Try running it without nfq.

ALLEWI-M-8257:marcin-issue allewi$ ./bin/snort -c etc/snort/marcin.lua -r ~/Downloads/marcin-sent.pcap -Acsv -q
02/26-08:19:45.017007, 4, TCP, raw, 133, C2S, 192.168.17.20:34616, 192.168.17.30:80, 1:4000003:0, allow
02/26-08:19:45.017007, 5, TCP, stream_tcp, 57, C2S, 192.168.17.20:34616, 192.168.17.30:80, 1:3000002:0, allow
02/26-08:19:45.017007, 5, TCP, stream_tcp, 57, C2S, 192.168.17.20:34616, 192.168.17.30:80, 1:3000001:0, allow
02/26-08:19:45.017007, 5, TCP, stream_tcp, 57, C2S, 192.168.17.20:34616, 192.168.17.30:80, 1:4000002:0, allow



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Marcin Dulak <marcin.dulak at ...11827...<mailto:marcin.dulak at ...11827...>>
Date: Sunday, February 26, 2017 at 9:25 AM
To: allewi <allewi at ...589...<mailto:allewi at ...589...>>
Cc: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: Re: [Snort-users] snort3: problem with http_inspect

The problem still there when replaying pcap, using build 227 https://github.com/snortadmin/snort3/commit/89bae69d5cd980ae56ef0322b6ef7cca87a75cf2
I'm attaching the pcap, and the outputs of http_inspect/http_server:
# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path /usr/lib64/snort_extra -R /etc/snort/rules/snort.rules -r test.pcap -A alert_fast -d

The rules are the same as before:
# cat /etc/snort/rules/snort.rules
alert tcp any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; sid:3000001;)
alert tcp any any -> any 80 (msg:"test"; http_uri; content:"/test"; sid:3000002;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; http_method; content: "GET"; sid:4000001;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; http_method; sid:4000002;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; content: "GET"; sid:4000003;)

To reproduce from a CentOS7 VM:

# cat /etc/yum.repos.d/copr-marcindulak-snort.repo
[copr-marcindulak-snort]
name=copr-marcindulak-snort
baseurl=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch
enabled=1
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg

# yum -y install snort snort-extra

Marcin



On Sun, Feb 26, 2017 at 2:33 AM, Al Lewis (allewi) <allewi at ...589...<mailto:allewi at ...589...>> wrote:
I am using the default snort.lua (with http_inspect enabled). You really should have those comments removed for http inspection to work properly.

You can try running snort with the daq dump enabled to see the packets handled by snort.

Also check to see if the correct number of packets are in the exit stats (and not discarded).



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Marcin Dulak <marcin.dulak at ...11827...<mailto:marcin.dulak at ...11827...>>
Date: Saturday, February 25, 2017 at 6:19 PM
To: allewi <allewi at ...589...<mailto:allewi at ...589...>>
Cc: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: Re: [Snort-users] snort3: problem with http_inspect



On Sat, Feb 25, 2017 at 11:24 PM, Al Lewis (allewi) <allewi at ...589...<mailto:allewi at ...589...>> wrote:
Hello,

        I
think you need to uncomment http_inspect “remove the dashes from in front of it”

the behavior of http_inspect I described was without any dashes, with the default snort.lua from github.
I have tested whether the lua comment "--" makes any difference and it does not - I mean dashes are treated as a comment.

-- http_inspect = { }
http_server = { }

Are you using the default lua files from github? Or maybe the few last commits since https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438 could have changed something?
Or maybe related to hyperscan, which I'm not using?

Marcin


It alerts for me.


ALLEWI-M-8257:snort3 allewi$ ./bin/snort -c etc/snort/marcin.lua -r /tmp/TEST.pcap -Acmg -k none -q
02/25-16:54:57.819915 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP} 192.168.1.128:53687<http://192.168.1.128:53687> -> 74.125.196.99:80<http://74.125.196.99:80>
- - - stream_tcp[58]- - - - - - - - - - - - - - - - - - - - - - - - -
48 6F 73 74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65  Host: www.google
2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74  .com..User-Agent
3A 20 63 75 72 6C 2F 37 2E 34 33 2E 30 0D 0A 41  : curl/7.43.0.<http://7.43.0.>.A
63 63 65 70 74 3A 20 2A 2F 2A                    ccept: */*
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ALLEWI-M-8257:snort3 allewi$ cat etc/snort/marcin.lua | grep alert
        alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;http_uri; content:"/test"; sid:3000001;)
ALLEWI-M-8257:snort3 allewi$






Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>








On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak at ...11827...<mailto:marcin.dulak at ...11827...>> wrote:

>Hi,
>
>I have a problem with http_inspect,
>https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438
>
>I make an HTTP request against the machine running snort/nfqueue:
>
># curl -s -m 1 http://192.168.17.30/test
>
>and expect my sid:3000001 (see below) to be triggered, but only sid:4000003
>is triggered instead.
>My question is what am I missing to trigger sid:3000001 with the new
>http_inspect?
>
>Now, when in /etc/snort/snort.lua I use
>-- http_inspect = { }
>http_server = { }
>
>then all but sid:4000001 are triggered:
>
># u2spewfoo /var/log/snort/unified2.log.1488047835 | grep "sig id"
>    sig id: 4000003    gen id: 1    revision: 0     classification: 0
>    sig id: 3000002    gen id: 1    revision: 0     classification: 0
>    sig id: 3000001    gen id: 1    revision: 0     classification: 0
>    sig id: 4000002    gen id: 1    revision: 0     classification: 0
>
>I see the unified2 log contains also (ExtraDataHdr) (ExtraData)
>and only two events get parsed by py-idstools, which I normally use with
>snort2:
>
># idstools-u2json /vagrant/unified2.log.1488047835 | grep signature
>WARNING: No alert message map entries loaded.
>WARNING: No classifications loaded.
>ERROR: Unknown record type: 3
>{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
>"sensor-id": 0, "event-id": 1, "classification-id": 0, "sport-itype":
>40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
>"event-microsecond": 283661, "protocol": 6, "destination-ip":
>"192.168.17.30", "blocked": 0, "signature-id": 4000003, "priority": 0,
>"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip": "192.168.17.20"}}
>{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
>"sensor-id": 0, "event-id": 2, "classification-id": 0, "sport-itype":
>40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
>"event-microsecond": 283661, "protocol": 255, "destination-ip":
>"192.168.17.30", "blocked": 0, "signature-id": 3000002, "priority": 0,
>"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip": "192.168.17.20"}}
>
>Snort running as:
>
># xargs -0 < /proc/`pidof snort`/cmdline
>/usr/sbin/snort -d -Q --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort
>-c /etc/snort/snort.lua -A unified2 -v -X --plugin-path
>/usr/lib64/snort_extra -k none
>
># iptables-save
>*filter
>:INPUT ACCEPT [5428:45165731]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [4796:239048]
>-A INPUT -i enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
>-A OUTPUT -o enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
>COMMIT
>
>The only difference compared to the github's lua files is in
>/etc/snort/snort_defaults.lua
>
># diff snort3/lua/snort_defaults.lua /etc/snort/snort_defaults.lua
>32a33,35
>> RULE_PATH = conf_dir .. '/rules'
>> ips = { include = RULE_PATH .. '/snort.rules' }
>>
>
>and the rules as follows:
>
># cat /etc/snort/rules/snort.rules
>alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;
>http_uri; content:"/test"; sid:3000001;)
>alert tcp any any -> any 80 (msg:"test"; http_uri; content:"/test";
>sid:3000002;)
>alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
>http_method; content: "GET"; sid:4000001;)
>alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
>http_method; sid:4000002;)
>alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; content:
>"GET"; sid:4000003;)
>
>
>Marcin
>------------------------------------------------------------------------------
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list