Snort mailing list archives

Re: HTTP INSPECT fails on Mirror Port


From: Anand Raj Manickam <anandrm () gmail com>
Date: Thu, 24 Jul 2014 18:34:02 +0530

Hi can someone from dev help me on this ?

I have the snort configured on Mirror Port of a Switch . Snort fails
to detect HTTP but , It does detect the TCP and Stream5.
The Stream5 Stats only show that it Tracks . I have the http_inspect
and http_inspect_server preprocessors are configured.
But when configured on read from pcap file , with the same config the
HTTP is detected .
Can someone shed some light on whats missing in my configuration on
live Mirror port mode?

# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv

The config file : http://pastebin.com/qUpTfRLY
The Snort Stats : http://pastebin.com/ADWvJAZQ

With a pcap file , the HTTP Inspect is fine :
 snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap

On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay () slave-tothe-box net> wrote:
On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:
Did try with
For Snort :
./configure --with-dnet-includes=/opt/include/
--with-dnet-libraries=/opt/lib --enable-sourcefire
--enable-non-ether-decoders
The behaviour is the same

For DAQ : # ./configure --with-dnet-includes=/opt/include/
--with-dnet-libraries=/opt/lib
Build AFPacket DAQ module.. : no
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

Not sure why AFPacket fails. But since the testbed is TAP mode , i did not care.


On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2014-07-21 10:41, Anand Raj Manickam wrote:
My understanding was you do not need afpacket for mirror port, since
the setting was pcap - passive. Please correct me if i m wrong.
snort was configured with ./configure --with-dnet-includes=/xyz
--with-dnet-libraries=/xyz
DAQ without any parameters

On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net>
wrote:
On 2014-07-21 09:52, Anand Raj Manickam wrote:
Hi James,
I have attached the pcap.
Thanks,
Anand

Technically I believe you are right, but at this stage, I'm playing
"spot the differences".  My snort config line:

./configure --prefix=/opt --enable-sourcefire
--with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders

and my daq config and and snippet of that output:

./configure --prefix=/usr

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes

How does your differ?

James

At this point I'm out of ideas...perhaps one of the devs can assist.

James


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Current thread: