[Snort-users] behavior file vs. device capturing

Felix Erlacher felix.erlacher at uibk.ac.at
Thu Nov 30 05:28:54 EST 2017


No hints?

Now I tried to replay the trace over the network and capture it with
snort  (via the NIC) again, hoping it would show the same behavior as if
I would capture it directly. It does not.
But the notable thing is, when replayed and captured via the NIC it does
show the alert from the HTTP request (as supposed to). If it reads
directly from the file no alert is shown.

Why is there a difference? The packets are exactly the same.

I attached the network trace if anyone is interested.

regards

Felix

On 27/11/17 17:58, Erlacher, Felix wrote:
> Dear all,
> 
> while I was trying to further investigate an alert, I stumbled upon a
> strange behavior that I was able to reproduce the following way:
> If I send an HTTP request to a local HTTP server and have snort listen
> on the NIC, everything behaves as I would expect it to do.
> Now if I make snort read the pcapng file that I captured (with
> wireshark) during this attempt the TCP stream preprocessor behaves
> differently, triggering 3 timeouts and discarding one packet (which
> finally leads to snort not triggering the alert contained in the HTTP
> request).
> 
> What makes snort behave differently when configured to read from file
> compared to the configuration when reading from a NIC interface?
> 
> Below you find the stream statistics for both runs.
> I use snort 2.9.11 with daq 2.0.6 compiled from source on Debian 8
> (kernel 3.16). The snort.conf is the original one from the tarball.
> 
> -----------------------------
> sudo snort -c /etc/snort.conf -k none -i wlan0:
> -----------------------------
> Stream statistics:
>             Total sessions: 1
>               TCP sessions: 1
> TCP StreamTrackers Created: 1
> TCP StreamTrackers Deleted: 1
>               TCP Timeouts: 0
>        TCP Segments Queued: 2
>      TCP Segments Released: 2
>        TCP Rebuilt Packets: 2
>          TCP Segments Used: 2
>               TCP Discards: 0
>            TCP Port Filter
>                    Tracked: 10
> 
> -----------------------------
> sudo snort -c /etc/snort.conf -k none -r ~/justCaptured.pcapng:
> -----------------------------
> Stream statistics:
>             Total sessions: 1
>               TCP sessions: 1
> 
> TCP StreamTrackers Created: 2
> TCP StreamTrackers Deleted: 2
>               TCP Timeouts: 3
>        TCP Segments Queued: 0
>      TCP Segments Released: 0
>        TCP Rebuilt Packets: 0
>          TCP Segments Used: 0
>               TCP Discards: 1
>            TCP Port Filter
>                    Tracked: 10
> 
> Thanks and regards
> 
> Felix
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: justCaptured.pcapng
Type: application/x-pcapng
Size: 1988 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171130/3e47b8c0/attachment.bin>


More information about the Snort-users mailing list