Snort mailing list archives
HTTP INSPECT fails on Mirror Port
From: Anand Raj Manickam <anandrm () gmail com>
Date: Sat, 26 Jul 2014 06:23:07 +0530
Yes..the pap was captured in the same box running snort. The capture was on the port configured on mirror. On Friday, July 25, 2014, Russ Combs (rucombs) <rucombs () cisco com <javascript:_e(%7B%7D,'cvml','rucombs () cisco com');>> wrote:
________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Friday, July 25, 2014 1:42 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port This is the shutdown dump on Network Tap mode http://pastebin.com/ADWvJAZQ The Shutdown dump on pcap readback mode http://pastebin.com/afVJbawK The difference i see is in Stream5 Statistics and the invocation of HTTP Inspect on pcap readback mode. * There is a bigger difference. Check your protocol breakdown counts. Half the packets from the network are discarded. * This is why I asked if your pcap was captured from the box you are running Snort. If you can capture a pcap there you can reproduce the problem in read back and compare pcaps. On Thu, Jul 24, 2014 at 10:27 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:Did you capture the pcap on the box where you are running Snort? How doSnort's shutdown stats compare between pcap readback and network tap modes?________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Thursday, July 24, 2014 11:57 AM To: James Lay; snort-devel () lists sourceforge net Cc: snort-users () lists sourceforge net Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on MirrorPortHi, Can someone on dev list help me ? I have the snort configured on Mirror Port of a Switch . Snort fails to detect HTTP but , It does detect the TCP and Stream5. The Stream5 Stats only show that it Tracks . I have the http_inspect and http_inspect_server preprocessors are configured. But when configured on read from pcap file , with the same config the HTTP is detected . Can someone shed some light on whats missing in my configuration on live Mirror port mode? # snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv The config file : http://pastebin.com/qUpTfRLY The Snort Stats : http://pastebin.com/ADWvJAZQ With a pcap file , the HTTP Inspect is fine : snort -c /snort-2.9.6.1/etc/snort.conf -r /data/test.pcap Thanks, On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay () slave-tothe-box net>wrote:On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:Did try with For Snort : ./configure --with-dnet-includes=/opt/include/ --with-dnet-libraries=/opt/lib --enable-sourcefire --enable-non-ether-decoders The behaviour is the same For DAQ : # ./configure --with-dnet-includes=/opt/include/ --with-dnet-libraries=/opt/lib Build AFPacket DAQ module.. : no Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes Not sure why AFPacket fails. But since the testbed is TAP mode , i didnot care.On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net>wrote:On 2014-07-21 10:41, Anand Raj Manickam wrote:My understanding was you do not need afpacket for mirror port, since the setting was pcap - passive. Please correct me if i m wrong. snort was configured with ./configure --with-dnet-includes=/xyz --with-dnet-libraries=/xyz DAQ without any parameters On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net>wrote:On 2014-07-21 09:52, Anand Raj Manickam wrote:Hi James, I have attached the pcap. Thanks, AnandTechnically I believe you are right, but at this stage, I'm playing "spot the differences". My snort config line: ./configure --prefix=/opt --enable-sourcefire --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders and my daq config and and snippet of that output: ./configure --prefix=/usr Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes How does your differ? JamesAt this point I'm out of ideas...perhaps one of the devs can assist. James------------------------------------------------------------------------------Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!------------------------------------------------------------------------------Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 22)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 23)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 25)
- HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 25)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 28)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 05)