Snort mailing list archives
Snort HTTP Pre-processor issues
From: Sharath Hiremagalore <hssharath () gmail com>
Date: Wed, 25 Jul 2012 15:07:17 -0400
Hello, I am trying to run Snort on a large set of pcap files with HTTP traffic to a web server. The pcap files contain only ingress packets to the web server and is missing the responses from the web server. I configured installed snort on two distros Ubuntu 12.04 and CentOS 6.3. On the Ubuntu box, I installed Snort 2.9.2.2 from the repository packages; on CentOS 6.3, I installed snort 2.9.3 from source. I downloaded the latest set of rules form snort web page and enabled only the web rules with HTTP_SERVERS as the destination. I used the snort configuration that came with the latest rule set for the experiments. When I ran Snort on the Ubuntu server, the http_inspect shows the number of GET/POST request seen in the summary when snort finishes running. However, no alerts are generated on the pcaps. I have looked at the packets in one of the pcaps and see the /etc/passwd attack in the GET request. This should have been identified by the rule with sid:1122 in 'web-misc.rules'. On repeating the same experiment on CentOS server, the http_inspect does not even report that GET/POST requests in the summary. Also, no alerts were generated on CentOS. This rule sid:1122 (web-misc.rules) is triggered only when I remove 'flow:to_server,established' and 'http_uri' conditions from the rule. Does http_inspect require flows to parse the URI? Is there a way, I can configure http_inspect to work only on the ingress packets to the Web server? Thanks, Sharath ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort HTTP Pre-processor issues Sharath Hiremagalore (Jul 25)