Re: HTTP Inspect and packet reassembly

[Yun Zheng Hu <yunzheng.hu () gmail com>]

I forwarded you an email containing a pcap and used snort config that
has this issue.

-Yun

On Fri, Oct 29, 2010 at 02:51, Joel Esler <jesler () sourcefire com> wrote:
> Excellent, thank you all for the reports.  Does anyone have a pcap they can
> provide with this traffic in it so we can diagnose and fix it?
>
>
> Sent from my iPhone
> On Oct 28, 2010, at 8:26 PM, Eoin Miller <eoin.miller () trojanedbinaries com>
> wrote:
>
> We have seen this as well, I wrote up a blog post about it.
> http://trojanedbinaries.com/blog/?p=217
> Seems to only create the buffers based off of the frame and not the stream.
>
> On Oct 29, 2010, at 1:03 AM, matan monitz <mmonitz () gmail com> wrote:
>
> we  also came across this
> specifically on http post signatures
> a large enough request (big viewstate or a large post payload) using more
> then one packet will end in the second packet not getting into
> http_client_body buffer
>
>
>
>
> On Thu, Oct 28, 2010 at 4:09 PM, Joel Esler <jesler () sourcefire com> wrote:
> > Can you provide us with a pcap dump of the traffic?
> >
> > Joel
> >
> > On Oct 28, 2010, at 9:40 AM, L0rd Ch0de1m0rt wrote:
> >
> > > Hello.  I am investigating a situation where TCP streams are being
> > > fragmented quite small at the IP layer for some reason (load
> > > balancer?) and it seems to be causing problems for some of my rules
> > > that leverage HTTP Inspect.  From the manual I read this:
> > >
> > > "The current version of HTTP Inspect only handles stateless
> > > processing. This means that HTTP Inspect looks for HTTP
> > > fields on a packet-by-packet basis, and will be fooled if packets are
> > > not reassembled. This works fine when there is
> > > another module handling the reassembly, but there are limitations in
> > > analyzing the protocol. Future versions will have
> > > a stateful processing mode which will hook into various reassembly
> > > modules."
> > >
> > > OK, so HTTP Inspect is stateless and doesn't reassemble packets.  But
> > > then there is the sentence, "This works fine when there is another
> > > module handling the reassembly, but there are limitations in analyzing
> > > the protocol."  So my question is, if I also have Stream5 enabled for
> > > TCP, is that a sufficient "another module" or are there still
> > > "limitations" with the HTTP protocol?
> > >
> > > Specifically, I have problems with rules that use uricontent and
> > > content and need to match across more than one packet.
> > >
> > > Thanks!
> > >
> > > -L0rd C.
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Nokia and AT&T present the 2010 Calling All Innovators-North America
> > > contest
> > > Create new apps & games for the Nokia N8 for consumers in  U.S. and
> > > Canada
> > > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> > > marketing
> > > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> > > http://p.sf.net/sfu/nokia-dev2dev
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Nokia and AT&T present the 2010 Calling All Innovators-North America
> > contest
> > Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> > marketing
> > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> > http://p.sf.net/sfu/nokia-dev2dev
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel