Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Tue, 5 Aug 2014 19:18:09 +0000
________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Tuesday, August 05, 2014 4:05 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port
* You have something weird going on. Now 6 are are eth:ip4:tcp and 4 are eth:other. Previously they were eth:ip4:other. * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can catch it and see what's up. You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.
I have the gdb breaks set , i see that in Live packet capture mode , there appears to be a internal fragmentation of the packet though the MTU is 1500, the max size of packet in this capture is only 556. If you look at the pkt structs data , i see Characters . But when i played with pcap , i never saw character data. ( this is the reason why pcap works ) * The problem does not appear to be with the length. Your 556 byte server response is the actual, full size: eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556 * You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer protocol is. That is why decode is failing in these functions. * For example, in the eth function you can execute this command: p /x p->eh->ether_type * And in the ip4 function you can execute this command: p /x proto I have the GDB dump below , with bt . I have turned off all offload settings # ethtool -k eth0 Offload parameters for eth0: rx-checksumming: off tx-checksumming: off scatter-gather: off tcp segmentation offload: off udp fragmentation offload: off generic segmentation offload: off Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 650 { (gdb) bt #0 DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 #1 0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0) at snort.c:1821 #2 0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704 #3 0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW", pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at daq_pcap.c:361 #4 0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8, max_packets=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap-linux.c:4071 #5 0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap.c:497 #6 0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_pcap.c:379 #7 0x5666eb1b in daq_acquire_with_meta (module=0x566bba60 <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_mod_ops.c:133 #8 0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830 <PacketCallback>, user=0x0) at sfdaq.c:540 #9 0x565933bf in PacketLoop () at snort.c:3210 #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907 #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650 650 { (gdb) c Continuing. c ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 28)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 07)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 07)