Snort mailing list archives

Re: HTTP INSPECT fails on Mirror Port

From: Anand Raj Manickam <anandrm () gmail com>
Date: Mon, 21 Jul 2014 21:24:49 +0530

Hi Doug,
Tried with all settings off, still no Luck.
Thanks,
Anand

On Mon, Jul 21, 2014 at 8:54 PM, Doug Burks <doug.burks () gmail com> wrote:

Hi Anand,

Do you have all NIC offloading functions disabled?
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

On Mon, Jul 21, 2014 at 11:14 AM, Anand Raj Manickam <anandrm () gmail com> wrote:

It works fine with a pcap , the issue i m facing is when configured
with a SPAN/Mirror port of switch where the traffic is mirrored from
the Host. It hits till the TCP (only tracked at Stream 5) but does not
hit the HTTP Inspect.

On Mon, Jul 21, 2014 at 7:55 PM, James Lay <jlay () slave-tothe-box net> wrote:

On 2014-07-21 05:51, Anand Raj Manickam wrote:

Any Suggestions ?

On Fri, Jul 18, 2014 at 5:28 PM, Anand Raj Manickam
<anandrm () gmail com> wrote:

I do not see a change , its the same.
Screen shot : http://pastebin.com/XpcHjRqB


On Fri, Jul 18, 2014 at 5:21 PM, Joel Esler (jesler)
<jesler () cisco com> wrote:

Can you add -k none to the command line and see what happens?

--
Joel Esler
Sent from my iPhone

On Jul 18, 2014, at 7:49, "Anand Raj Manickam" <anandrm () gmail com>
wrote:

Hi,
I have the snort configured on Mirror Port of a Switch . Snort
fails
to detect HTTP but , It does detect the TCP and Stream5.
The Stream5 Stats only show that it Tracks . I have the
http_inspect
and http_inspect_server preprocessors are configured.
But when configured on read from pcap file , with the same config
the
HTTP is detected .
Can someone shed some light on whats missing in my configuration
on
live Mirror port mode?

# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv

The config file : http://pastebin.com/qUpTfRLY
The Snort Stats : http://pastebin.com/ADWvJAZQ

With a pcap file , the HTTP Inspect is fine :
snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap

Thanks,


Can you provide a sanitized pcap?

James

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




--
Doug Burks
http://securityonionsolutions.com


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 18)
- Re: HTTP INSPECT fails on Mirror Port Joel Esler (jesler) (Jul 18)
  - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 18)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port Doug Burks (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 22)
    - Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 23)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
    - Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
    - Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 24)

(Thread continues...)