Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: Anand Raj Manickam <anandrm () gmail com>
Date: Mon, 21 Jul 2014 21:24:49 +0530
Hi Doug, Tried with all settings off, still no Luck. Thanks, Anand On Mon, Jul 21, 2014 at 8:54 PM, Doug Burks <doug.burks () gmail com> wrote:
Hi Anand, Do you have all NIC offloading functions disabled? http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html On Mon, Jul 21, 2014 at 11:14 AM, Anand Raj Manickam <anandrm () gmail com> wrote:It works fine with a pcap , the issue i m facing is when configured with a SPAN/Mirror port of switch where the traffic is mirrored from the Host. It hits till the TCP (only tracked at Stream 5) but does not hit the HTTP Inspect. On Mon, Jul 21, 2014 at 7:55 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 05:51, Anand Raj Manickam wrote:Any Suggestions ? On Fri, Jul 18, 2014 at 5:28 PM, Anand Raj Manickam <anandrm () gmail com> wrote:I do not see a change , its the same. Screen shot : http://pastebin.com/XpcHjRqB On Fri, Jul 18, 2014 at 5:21 PM, Joel Esler (jesler) <jesler () cisco com> wrote:Can you add -k none to the command line and see what happens? -- Joel Esler Sent from my iPhoneOn Jul 18, 2014, at 7:49, "Anand Raj Manickam" <anandrm () gmail com> wrote: Hi, I have the snort configured on Mirror Port of a Switch . Snort fails to detect HTTP but , It does detect the TCP and Stream5. The Stream5 Stats only show that it Tracks . I have the http_inspect and http_inspect_server preprocessors are configured. But when configured on read from pcap file , with the same config the HTTP is detected . Can someone shed some light on whats missing in my configuration on live Mirror port mode? # snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv The config file : http://pastebin.com/qUpTfRLY The Snort Stats : http://pastebin.com/ADWvJAZQ With a pcap file , the HTTP Inspect is fine : snort -c /snort-2.9.6.1/etc/snort.conf -r /data/test.pcap Thanks,Can you provide a sanitized pcap? James ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Doug Burks http://securityonionsolutions.com
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 18)
- Re: HTTP INSPECT fails on Mirror Port Joel Esler (jesler) (Jul 18)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 18)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Doug Burks (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 22)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 23)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 24)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 18)
- Re: HTTP INSPECT fails on Mirror Port Joel Esler (jesler) (Jul 18)