Snort mailing list archives
HTTP Preprocessor Issues
From: "Michael Devlin" <Michael.Devlin () gdnnet com>
Date: Mon, 6 Dec 2004 15:44:13 -0000
Folks, I posted a question last week on a similar vein to this one... However the follow up didn't get past the admin of the list... Not sure why. I am pretty desperate for an answer so if you will humour me I will give it another shot... Albeit re-worded and more succinct. It appears that one of our snort sensors is struggling with the HTTP preprocessor. The packets that it is alerting on are an amalgamtion of a one or two other packets. For example I will get lines like the following logged as part of an alert; "JNLLEBODDB.GET /us/sss/ppppp.asp" After looking at the actual packets sniffed, the "JNLLEBODDB." is in a different session and indeed from a different client altogether to the request "GET /us/sss/ppppp.asp" The setup is; Dell 2450 PIII 700Mhz (Dual Proc *) Fedora Core 2 Snort 2.2 Memory 512Meg NIC 100Meg FDuplex SCSI Disks Logging to MySQL local to the box Using ACID (again local) Very few alerts generated Throughput on the wire is less than 10Meg but it is all HTTP traffic. Is the above something I would expect to see from an underpowered box (all stats would imply that the box is far from being underpowered)....? Am I missing something glaringly obvious? Is there more information that I could supply that would help pinpoint this issue? Is it worthwhile upgrading to the RC of the new version of snort? Finally, is this issue likely to be with the HTTP preprocessor or the streams preprocessor? I'd appreciate any help or shoving in a particular direction.... The next step is to find a more powerful box and replace the current one to see if the same issue arises, I would rather not do this if at all possible. Regards Michael Devlin (*) The last time I posted on this issue it was pointed out that Snort is not MP aware, however I am working on the assumption that the second processor will be used by MYSql/ACID, so will be of benefit. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP Preprocessor Issues Michael Devlin (Dec 06)