Snort mailing list archives
Re: HTTP Inspect with only a GET request.
From: Shawn Lee <dashawn () gmail com>
Date: Wed, 22 May 2013 08:27:49 -0700
Thanks for the input. That works great on static files. Is there a way to have this work with snort listening to an interface in IDS mode? On Wed, May 22, 2013 at 5:54 AM, Russ Combs <rcombs () sourcefire com> wrote:
On Tue, May 21, 2013 at 6:44 PM, Shawn Lee <dashawn () gmail com> wrote:Sorry if I missed the post where this was already discussed. I wasunable tofind it. When I run snort across a 2 packet sample consisting of a GET and a HTTP200response Snort's http Inspect output is the following. HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 1 HTTP Request Headers extracted: 1 ... Total packets processed: 3 When I run it just with the GET HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 0 HTTP Request Headers extracted: 0 ... Total packets processed: 1 I also turned on debugging and traced through the code and I can't find a way to turn an option on in order to tell snort to normalize across justaGET request. Without this I believe the snort process will not fire on uricontent if the response is lost due to packet loss, routing issues,or aweb server that doesn't respond. Is there a way to get HTTP Inspect to normalize just a GET requestwithout aresponse so I can use http rules?Either add a TCP ack to the GET or do the following: a. add preprocessor normalize_tcp: ips to your conf b. add --daq dump --daq-var load-mode=read-file -Q to your command linesnort.conf preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no, show_rebuilt_packets preprocessor stream5_tcp: policy first preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 } Cmd ./snort -c /tmp/snort/snort.conf -r /tmp/snort/anon.pcap -l /tmp/ -k none ./snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.4.6 GRE (Build 73) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4------------------------------------------------------------------------------Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoringservicethat delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt!http://p.sf.net/sfu/newrelic_d2d_may_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- HTTP Inspect with only a GET request. Shawn Lee (May 21)
- Re: HTTP Inspect with only a GET request. Russ Combs (May 22)
- Re: HTTP Inspect with only a GET request. Shawn Lee (May 22)
- Re: HTTP Inspect with only a GET request. Russ Combs (May 22)
- Re: HTTP Inspect with only a GET request. Joel Esler (May 22)
- Re: HTTP Inspect with only a GET request. James Lay (May 22)
- Re: HTTP Inspect with only a GET request. Russ Combs (May 22)
- Re: HTTP Inspect with only a GET request. Joel Esler (May 22)
- Re: HTTP Inspect with only a GET request. Shawn Lee (May 22)
- Re: HTTP Inspect with only a GET request. Russ Combs (May 22)