Snort mailing list archives
HTTP Reassembly issue PAF enabled
From: Parmendra Pratap <parmendra.pratap () yahoo com>
Date: Tue, 2 Apr 2013 15:38:14 -0700 (PDT)
Hi I have been looking into snort lately for IDS and network data analysis needs at work. Looks like have uncovered an issue with PAF enabled reassembly of HTTP data or may be perhaps in the alert plugins. Any input is well appreciated. Apparently with PAF enabled the HTTP specific checks fire off only on the receipt of subsequent ACK packet even if the HTTP PDU data fits completely in the current packet. With PAF disabled the issue seems to correct itself. Looking at the code in snort_httpinspect.c , it appears that HTTP specific processing is short circuited due to the following check #ifdef ENABLE_PAF if ( ScPafEnabled() && (p->packet_flags & PKT_STREAM_INSERT) && !PacketHasFullPDU(p) ) PacketHasFullPDU(p) only evaluates true on receipt of subsequent ACK even if the current packet does hold the complete PDU. Steps to replicate: Below is a rule to print alert on receipt of GET HTTP requests. custom_log tcp any any <> any 80 (msg:"DUMP"; content:"GET"; http_method; sid:1000001;rev:1) ruletype custom_log { type alert output alert_full output log_tcpdump: log_alert.csv.dump } Try any curl/wget request now. Test 1 -(PAF enabled) Log from alert_full with paf_max = 16000 [Priority: 0] 04/02-22:59:33.414512 10.0.144.XXX:2228 -> 10.8.XX.XX TCP TTL:64 TOS:0x0 ID:23556 IpLen:20 DgmLen:443 DF ***A**** Seq: 0x88CC7A97 Ack: 0x504A44DD Win: 0x3CB8 TcpLen: 20 Test 2 -(PAF disabled) Log from alert_full with paf_max = 0 [**] [1:1000001:1] DUMP [**] [Priority: 0] 04/02-23:09:35.761077 10.0.XX.XX:2286 -> 10.8.XX.XX TCP TTL:122 TOS:0x0 ID:52317 IpLen:20 DgmLen:443 DF ***AP*** Seq: 0xDB1E4DB7 Ack: 0x66F537C3 Win: 0xFFFF TcpLen: 20 Close look will reveal that the TCP headers are different - A vs AP. TCP dump and wireshark capture confirms that Test 2 results are correct whereas Test 1 is showing incorrect TCP data in the alert log. Thanks PP
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- HTTP Reassembly issue PAF enabled Parmendra Pratap (Apr 02)
- Re: HTTP Reassembly issue PAF enabled Hui Cao (Apr 03)
- <Possible follow-ups>
- Re: HTTP Reassembly issue PAF enabled Parmendra Pratap (Apr 04)
- Re: HTTP Reassembly issue PAF enabled Hui Cao (Apr 04)
- Re: HTTP Reassembly issue PAF enabled Hui Cao (Apr 04)
- Re: HTTP Reassembly issue PAF enabled Parmendra Pratap (Apr 05)
- Re: HTTP Reassembly issue PAF enabled Russ Combs (Apr 05)
- Re: HTTP Reassembly issue PAF enabled Parmendra Pratap (Apr 05)
- Re: HTTP Reassembly issue PAF enabled Russ Combs (Apr 08)
- Re: HTTP Reassembly issue PAF enabled Parmendra Pratap (Apr 08)
- Re: HTTP Reassembly issue PAF enabled Russ Combs (Apr 08)