Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: Anand Raj Manickam <anandrm () gmail com>
Date: Thu, 24 Jul 2014 18:34:02 +0530
Hi can someone from dev help me on this ? I have the snort configured on Mirror Port of a Switch . Snort fails to detect HTTP but , It does detect the TCP and Stream5. The Stream5 Stats only show that it Tracks . I have the http_inspect and http_inspect_server preprocessors are configured. But when configured on read from pcap file , with the same config the HTTP is detected . Can someone shed some light on whats missing in my configuration on live Mirror port mode? # snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv The config file : http://pastebin.com/qUpTfRLY The Snort Stats : http://pastebin.com/ADWvJAZQ With a pcap file , the HTTP Inspect is fine : snort -c /snort-2.9.6.1/etc/snort.conf -r /data/test.pcap On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay () slave-tothe-box net> wrote:
On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:Did try with For Snort : ./configure --with-dnet-includes=/opt/include/ --with-dnet-libraries=/opt/lib --enable-sourcefire --enable-non-ether-decoders The behaviour is the same For DAQ : # ./configure --with-dnet-includes=/opt/include/ --with-dnet-libraries=/opt/lib Build AFPacket DAQ module.. : no Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes Not sure why AFPacket fails. But since the testbed is TAP mode , i did not care. On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 10:41, Anand Raj Manickam wrote:My understanding was you do not need afpacket for mirror port, since the setting was pcap - passive. Please correct me if i m wrong. snort was configured with ./configure --with-dnet-includes=/xyz --with-dnet-libraries=/xyz DAQ without any parameters On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 09:52, Anand Raj Manickam wrote:Hi James, I have attached the pcap. Thanks, AnandTechnically I believe you are right, but at this stage, I'm playing "spot the differences". My snort config line: ./configure --prefix=/opt --enable-sourcefire --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders and my daq config and and snippet of that output: ./configure --prefix=/usr Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes How does your differ? JamesAt this point I'm out of ideas...perhaps one of the devs can assist. James ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Doug Burks (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 22)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 23)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 25)
- HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 25)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 28)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)