Snort mailing list archives
Re: http_inspect missing requests
From: Russ <rucombs () cisco com>
Date: Fri, 3 Feb 2017 17:06:21 -0500
The final 3 GET requests were not acknowledged by the TCP server and so weren't processed. If you run in IPS mode you will see them get them processed. To enable IPS mode, make sure you have
preprocessor normalize_tcp: ips
in your conf and add these args to your command line:
--daq dump --daq-var load-mode=read-file -Q
The dump DAQ allows you to test inline mode with pcaps (it will create a
new pcap with only the packets allowed to pass); -Q enables inline mode;
and normalize_tcp: ips enables stream normalization.
On 2/3/17 1:27 PM, Felix Erlacher wrote:
Hi all, I have a pcap trace containing HTTP traffic. I began to wonder because Snort did not trigger all alerts I was expecting. So I extracted the TCP stream in question and looked at it more closely. My impression is that for some reason the HTTP preprocessor is not parsing all GET requests. If I load this trace in Wireshark, than "follow TCP stream", it shows me 10 GET requests. If I use ngrep to manually inspect the trace, I count 10 GET requests as well. But the HTTP Inspect preprocessor of Snort tells me it found only 7 GET requests?! What could possibly be the problem? Some peculiarities of the trace: Heavy usage of HTTP/1.1 pipelining While Wireshark and the Snort DAQ tell me they processed 13 packets, HTTP inspect tells me it processed 17 packets. This trace contains checksum errors and a tcp RST in the last packet. I am using Snort 2.9.9.0 with snort.conf from tarball and "-k none" switch. I would be happy to share the trace, but for privacy reasons I don't want to do that on the list. In case someone wants to take a look, just drop me a mail. thanks and greetings ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_inspect missing requests Felix Erlacher (Feb 03)
- Re: http_inspect missing requests Russ (Feb 03)
- Re: http_inspect missing requests Felix Erlacher (Feb 08)
- Re: http_inspect missing requests James Lay (Feb 08)
- Re: http_inspect missing requests Felix Erlacher (Feb 08)
- Re: http_inspect missing requests James Lay (Feb 08)
- Re: http_inspect missing requests Felix Erlacher (Feb 08)
- Re: http_inspect missing requests Russ (Feb 08)
- Message not available
- Re: http_inspect missing requests Felix Erlacher (Feb 09)
- Re: http_inspect missing requests Russ (Feb 09)
- Re: http_inspect missing requests Russ (Feb 03)