Snort mailing list archives
enable_xff with Snort
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Sun, 22 Sep 2013 16:00:59 +0530
Hi I have been trying to configure snort's http_inspect for sometime now with out any success. excerpt from snort.conf *# HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server { 10.0.0.0/8 192.168.1.0/24 192.168.56.0/24 } \ profile all ports { 80 81 82 83 84 85 86 87 88 89 90 311 383 591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080 50000 50002 55555 } enable_xff* Here you can see that I have turned on enable_xff. While running snort I can see that "Enable XFF and True Client IP: YES" *HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /store/snort/etc/unicode.map IIS Unicode Map Codepage: 1252 Memcap used for logging URI and Hostname: 150994944 Max Gzip Memory: 838860 Max Gzip Sessions: 9532 Gzip Compress Depth: 65535 Gzip Decompress Depth: 65535 SERVER: 10.0.0.0/8 192.168.1.0/24 192.168.56.0/24 Server profile: All Ports (PAF): 80 81 82 83 84 85 86 87 88 89 90 311 383 591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080 50000 50002 55555 Server Flow Depth: 300 Client Flow Depth: 300 Max Chunk Length: 500000 Max Header Field Length: 0 Max Number Header Fields: 0 Max Number of WhiteSpaces allowed with header folding: 200 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 0 Only inspect URI: NO Normalize HTTP Headers: NO Inspect HTTP Cookies: NO Inspect HTTP Responses: NO Extract Gzip from responses: NO Unlimited decompression of gzip data from responses: NO Normalize Javascripts in HTTP Responses: NO Normalize HTTP Cookies: NO Enable XFF and True Client IP: YES Log HTTP URI data: NO Log HTTP Hostname data: NO Extended ASCII code support in URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d DEFAULT SERVER CONFIG:* Now I try to generate an alert by going to test.com using the command shown $ wget -U ".Debian.APT-HTTP/1.3.(0.9.7.7ubuntu4)" test.com For some strange reason I cannot get snort to log ExtraData for the True Client IP. # u2spewfoo /tmp/log/snort.alert.log.1379845107 *(Event) sensor id: 0 event id: 1 event second: 1379845237 event microsecond: 165224 sig id: 2013504 gen id: 1 revision: 3 classification: 1 priority: 3 ip source: 10.0.2.15 ip destination: 174.36.85.72 src port: 60145 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1379845237 packet second: 1379845237 packet microsecond: 165224 linktype: 1 packet_length: 272 [ 0] 52 54 00 12 35 02 08 00 27 EE 1B A6 08 00 45 00 RT..5...'.....E. [ 16] 01 02 BA 59 40 00 40 06 70 21 0A 00 02 0F AE 24 ...Y@.@.p!.....$ [ 32] 55 48 EA F1 00 50 88 D7 92 2E AE CB 12 02 50 18 UH...P........P. [ 48] 39 08 10 70 00 00 47 45 54 20 2F 20 48 54 54 50 9..p..GET / HTTP [ 64] 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 /1.1..User-Agent [ 80] 3A 20 2E 44 65 62 69 61 6E 2E 41 50 54 2D 48 54 : .Debian.APT-HT [ 96] 54 50 2F 31 2E 33 2E 28 30 2E 39 2E 37 2E 37 75 TP/1.3.(0.9.7.7u [ 112] 62 75 6E 74 75 34 29 0D 0A 41 63 63 65 70 74 3A buntu4)..Accept: [ 128] 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 74 65 73 74 */*..Host: test [ 144] 2E 63 6F 6D 0D 0A 56 69 61 3A 20 31 2E 31 20 6C .com..Via: 1.1 l [ 160] 6F 63 61 6C 68 6F 73 74 20 28 73 71 75 69 64 2F ocalhost (squid/ [ 176] 33 2E 31 2E 32 30 29 0D 0A 58 2D 46 6F 72 77 61 3.1.20)..X-Forwa [ 192] 72 64 65 64 2D 46 6F 72 3A 20 31 39 32 2E 31 36 rded-For: 192.16 [ 208] 38 2E 31 2E 32 0D 0A 43 61 63 68 65 2D 43 6F 6E 8.1.2..Cache-Con [ 224] 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 32 35 trol: max-age=25 [ 240] 39 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 9200..Connection [ 256] 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A : keep-alive.... * -- Regards, Balasubramaniam Natarajan www.blog.etutorshop.com
------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- enable_xff with Snort Balasubramaniam Natarajan (Sep 22)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 22)
- Re: enable_xff with Snort Bhagya Bantwal (Sep 23)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 23)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 29)