Snort mailing list archives
Re: HTTP Inspect and packet reassembly
From: Matt Olney <molney () sourcefire com>
Date: Thu, 28 Oct 2010 21:21:04 -0400
This behavior is fixed in an upcoming patch. The VRT discovered the same issue. Matt On Thu, Oct 28, 2010 at 8:51 PM, Joel Esler <jesler () sourcefire com> wrote:
Excellent, thank you all for the reports. Does anyone have a pcap they can provide with this traffic in it so we can diagnose and fix it? Sent from my iPhone On Oct 28, 2010, at 8:26 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote: We have seen this as well, I wrote up a blog post about it. http://trojanedbinaries.com/blog/?p=217 Seems to only create the buffers based off of the frame and not the stream. On Oct 29, 2010, at 1:03 AM, matan monitz <mmonitz () gmail com> wrote: we also came across this specifically on http post signatures a large enough request (big viewstate or a large post payload) using more then one packet will end in the second packet not getting into http_client_body buffer On Thu, Oct 28, 2010 at 4:09 PM, Joel Esler <jesler () sourcefire com> wrote:Can you provide us with a pcap dump of the traffic? Joel On Oct 28, 2010, at 9:40 AM, L0rd Ch0de1m0rt wrote:Hello. I am investigating a situation where TCP streams are being fragmented quite small at the IP layer for some reason (load balancer?) and it seems to be causing problems for some of my rules that leverage HTTP Inspect. From the manual I read this: "The current version of HTTP Inspect only handles stateless processing. This means that HTTP Inspect looks for HTTP fields on a packet-by-packet basis, and will be fooled if packets are not reassembled. This works fine when there is another module handling the reassembly, but there are limitations in analyzing the protocol. Future versions will have a stateful processing mode which will hook into various reassembly modules." OK, so HTTP Inspect is stateless and doesn't reassemble packets. But then there is the sentence, "This works fine when there is another module handling the reassembly, but there are limitations in analyzing the protocol." So my question is, if I also have Stream5 enabled for TCP, is that a sufficient "another module" or are there still "limitations" with the HTTP protocol? Specifically, I have problems with rules that use uricontent and content and need to match across more than one packet. Thanks! -L0rd C. ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- HTTP Inspect and packet reassembly L0rd Ch0de1m0rt (Oct 28)
- Re: HTTP Inspect and packet reassembly Yun Zheng Hu (Oct 28)
- Re: HTTP Inspect and packet reassembly Joel Esler (Oct 28)
- Re: HTTP Inspect and packet reassembly matan monitz (Oct 28)
- Re: HTTP Inspect and packet reassembly Eoin Miller (Oct 28)
- Re: HTTP Inspect and packet reassembly Joel Esler (Oct 28)
- Re: HTTP Inspect and packet reassembly Matt Olney (Oct 28)
- Re: HTTP Inspect and packet reassembly L0rd Ch0de1m0rt (Oct 29)
- Re: HTTP Inspect and packet reassembly Joel Esler (Oct 29)
- Re: HTTP Inspect and packet reassembly Eoin Miller (Oct 31)
- Re: HTTP Inspect and packet reassembly Joel Esler (Oct 31)
- Re: HTTP Inspect and packet reassembly matan monitz (Oct 28)
- Re: HTTP Inspect and packet reassembly Yun Zheng Hu (Oct 29)
- Re: HTTP Inspect and packet reassembly Matt Olney (Oct 29)
- Re: HTTP Inspect and packet reassembly Joel Esler (Oct 29)