Snort mailing list archives

Previous By Date Next
Previous By Thread Next

HTTP Preprocessor Issues

From: "Michael Devlin" <Michael.Devlin () gdnnet com>
Date: Mon, 6 Dec 2004 15:44:13 -0000
Folks, I posted a question last week on a similar vein to this one...
However the follow up didn't get past the admin of the list... Not sure
why. I am pretty desperate for an answer so if you will humour me I will
give it another shot... Albeit re-worded and more succinct.

It appears that one of our snort sensors is struggling with the HTTP
preprocessor. The packets that it is alerting on are an amalgamtion of a
one or two other packets. For example I will get lines like the
following logged as part of an alert;

"JNLLEBODDB.GET /us/sss/ppppp.asp"

After looking at the actual packets sniffed, the "JNLLEBODDB." is in a
different session and indeed from a different client altogether to the
request "GET /us/sss/ppppp.asp"

The setup is;

Dell 2450 PIII 700Mhz (Dual Proc *)
Fedora Core 2
Snort 2.2
Memory 512Meg
NIC 100Meg FDuplex
SCSI Disks
Logging to MySQL local to the box
Using ACID (again local)
Very few alerts generated

Throughput on the wire is less than 10Meg but it is all HTTP traffic.

Is the above something I would expect to see from an underpowered box
(all stats would imply that the box is far from being underpowered)....?
Am I missing something glaringly obvious? Is there more information that
I could supply that would help pinpoint this issue? Is it worthwhile
upgrading to the RC of the new version of snort? Finally, is this issue
likely to be with the HTTP preprocessor or the streams preprocessor?

I'd appreciate any help or shoving in a particular direction.... The
next step is to find a more powerful box and replace the current one to
see if the same issue arises, I would rather not do this if at all
possible.

Regards

Michael Devlin

(*) The last time I posted on this issue it was pointed out that Snort
is not MP aware, however I am working on the assumption that the second
processor will be used by MYSql/ACID, so will be of benefit.






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: