Re: HTTP INSPECT fails on Mirror Port

["Russ Combs (rucombs)" <rucombs () cisco com>]

________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Friday, July 25, 2014 8:53 PM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject: HTTP INSPECT fails on Mirror Port

Yes..the pap was captured in the same box running snort.
The capture was on the port configured on mirror.

* Looks like your mirror is sending two copies of all TCP packets to your sensor.  Not sure why you see different 
results but you might have better luck if you eliminate the duplicates.

On Friday, July 25, 2014, Russ Combs (rucombs) <rucombs () cisco com<UrlBlockedError.aspx>> wrote:

________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Friday, July 25, 2014 1:42 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port

This is the shutdown dump on Network Tap mode  http://pastebin.com/ADWvJAZQ
The Shutdown dump on pcap readback mode http://pastebin.com/afVJbawK
The difference i see is in Stream5 Statistics and the invocation of
HTTP Inspect on pcap readback mode.

* There is a bigger difference.  Check your protocol breakdown counts.  Half the packets from the network are discarded.

* This is why I asked if your pcap was captured from the box you are running Snort.  If you can capture a pcap there 
you can reproduce the problem in read back and compare pcaps.

On Thu, Jul 24, 2014 at 10:27 PM, Russ Combs (rucombs)
<rucombs () cisco com> wrote:
> Did you capture the pcap on the box where you are running Snort?  How do Snort's shutdown stats compare between pcap 
> readback and network tap modes?
>
> ________________________________________
> From: Anand Raj Manickam [anandrm () gmail com]
> Sent: Thursday, July 24, 2014 11:57 AM
> To: James Lay; snort-devel () lists sourceforge net
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port
>
> Hi,
> Can someone on dev list help me ?
>
> I have the snort configured on Mirror Port of a Switch . Snort fails
> to detect HTTP but , It does detect the TCP and Stream5.
> The Stream5 Stats only show that it Tracks . I have the http_inspect
> and http_inspect_server preprocessors are configured.
> But when configured on read from pcap file , with the same config the
> HTTP is detected .
> Can someone shed some light on whats missing in my configuration on
> live Mirror port mode?
>
> # snort --daq-list
> Available DAQ modules:
> pcap(v3): readback live multi unpriv
> nfq(v7): live inline multi
> ipfw(v3): live inline multi unpriv
> dump(v2): readback live inline multi unpriv
>
> The config file : http://pastebin.com/qUpTfRLY
> The Snort Stats : http://pastebin.com/ADWvJAZQ
>
> With a pcap file , the HTTP Inspect is fine :
>  snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap
>
> Thanks,
>
> On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay () slave-tothe-box net> wrote:
> > On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:
> > > Did try with
> > > For Snort :
> > > ./configure --with-dnet-includes=/opt/include/
> > > --with-dnet-libraries=/opt/lib --enable-sourcefire
> > > --enable-non-ether-decoders
> > > The behaviour is the same
> > >
> > > For DAQ : # ./configure --with-dnet-includes=/opt/include/
> > > --with-dnet-libraries=/opt/lib
> > > Build AFPacket DAQ module.. : no
> > > Build Dump DAQ module...... : yes
> > > Build IPFW DAQ module...... : yes
> > > Build IPQ DAQ module....... : no
> > > Build NFQ DAQ module....... : yes
> > > Build PCAP DAQ module...... : yes
> > >
> > > Not sure why AFPacket fails. But since the testbed is TAP mode , i did not care.
> > >
> > >
> > > On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net> wrote:
> > > > On 2014-07-21 10:41, Anand Raj Manickam wrote:
> > > > > My understanding was you do not need afpacket for mirror port, since
> > > > > the setting was pcap - passive. Please correct me if i m wrong.
> > > > > snort was configured with ./configure --with-dnet-includes=/xyz
> > > > > --with-dnet-libraries=/xyz
> > > > > DAQ without any parameters
> > > > >
> > > > > On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net>
> > > > > wrote:
> > > > > > On 2014-07-21 09:52, Anand Raj Manickam wrote:
> > > > > > > Hi James,
> > > > > > > I have attached the pcap.
> > > > > > > Thanks,
> > > > > > > Anand
> > > >
> > > > Technically I believe you are right, but at this stage, I'm playing
> > > > "spot the differences".  My snort config line:
> > > >
> > > > ./configure --prefix=/opt --enable-sourcefire
> > > > --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders
> > > >
> > > > and my daq config and and snippet of that output:
> > > >
> > > > ./configure --prefix=/usr
> > > >
> > > > Build AFPacket DAQ module.. : yes
> > > > Build Dump DAQ module...... : yes
> > > > Build IPFW DAQ module...... : yes
> > > > Build IPQ DAQ module....... : no
> > > > Build NFQ DAQ module....... : no
> > > > Build PCAP DAQ module...... : yes
> > > >
> > > > How does your differ?
> > > >
> > > > James
> >
> > At this point I'm out of ideas...perhaps one of the devs can assist.
> >
> > James
> >
> >
> > ------------------------------------------------------------------------------
> > Want fast and easy access to all the code in your enterprise? Index and
> > search up to 200,000 lines of code with a free copy of Black Duck
> > Code Sight - the same software that powers the world's largest code
> > search on Ohloh, the Black Duck Open Hub! Try it now.
> > http://p.sf.net/sfu/bds
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!