Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Mon, 4 Aug 2014 11:54:03 +0000
________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Monday, August 04, 2014 4:01 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port On Thu, Jul 31, 2014 at 5:28 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Thursday, July 31, 2014 7:21 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port I do not see any duplicate packets on the mirror port . I have the screen shot of snort : http://pastebin.com/dcYa4v2G Live packet capture parallely * It looks like you fixed something because the duplicates in the pcap you sent are not shown below or in the shutdown counts. However, those counts still show about half of the packets not processed by stream. Of the 11 packets, only 6 are decoded as TCP and 5 are discarded by the decoder. Most likely all traffic from your server is not decoded properly.
There is nothing fixed in the pcap , looks like sometimes there is a random behavior in the switch , where i do see some dup packets. I m sure why those packets are decoded.
* Please send an updated pcap. Also, configure Snort to run in log mode and write a pcap (run Snort with -L but w/o -c). You should see the same protocol breakdown counts, 11 total and 6 TCP. Send that pcap too for comparison.
This is the dump with the snort -L -i eth0 (w/o -c) http://pastebin.com/RpQEMA8g I have attached the pcap - snort-L.pcap and the log file. * I don't see anything obvious in the pcap. Try adding the following line to your conf and see if any alerts are generated: config autogenerate_preprocessor_decoder_rules
# tcpdump -i eth0 -nn -e tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 04:15:24.568286 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4 (0x0800), length 74: 10.11.117.90.52465 > 192.168.1.110.80: Flags [S], seq 1075122842, win 4380, options [mss 1460,sackOK,TS val 2417285661 ecr 0,nop,wscale 7], length 0 04:15:24.568369 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4 (0x0800), length 74: 192.168.1.110.80 > 10.11.17.90.52465: Flags [S.], seq 1484212294, ack 1075122843, win 14480, options [mss 1460,sackOK,TS val 306401729 ecr 2417285661,nop,wscale 5], length 0 04:15:24.568564 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4 (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.], ack 1, win 35, options [nop,nop,TS val 2417285661 ecr 306401729], length 0 04:15:24.568699 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4 (0x0800), length 167: 10.11.17.90.52465 > 192.168.1.110.80: Flags [P.], seq 1:102, ack 1, win 35, options [nop,nop,TS val 2417285661 ecr 306401729], length 101 04:15:24.568703 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4 (0x0800), length 66: 192.168.1.110.80 > 10.11.17.90.52465: Flags [.], ack 102, win 453, options [nop,nop,TS val 306401729 ecr 2417285661], length 0 04:15:24.569410 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4 (0x0800), length 556: 192.168.1.110.80 > 10.11.17.90.52465: Flags [P.], seq 1:491, ack 102, win 453, options [nop,nop,TS val 306401729 ecr 2417285661], length 490 04:15:24.569722 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4 (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.], ack 491, win 43, options [nop,nop,TS val 2417285661 ecr 306401729], length 0 04:15:24.570059 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4 (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [F.], seq 102, ack 491, win 43, options [nop,nop,TS val 2417285662 ecr 306401729], length 0 04:15:24.570137 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4 (0x0800), length 66: 192.168.1.110.80 > 10.11.17.90.52465: Flags [F.], seq 491, ack 103, win 453, options [nop,nop,TS val 306401729 ecr 2417285662], length 0 04:15:24.570285 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4 (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.], ack 492, win 43, options [nop,nop,TS val 2417285662 ecr 306401729], length 0 On Mon, Jul 28, 2014 at 9:27 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Friday, July 25, 2014 8:53 PM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: HTTP INSPECT fails on Mirror Port Yes..the pap was captured in the same box running snort. The capture was on the port configured on mirror. * Looks like your mirror is sending two copies of all TCP packets to your sensor. Not sure why you see different results but you might have better luck if you eliminate the duplicates. On Friday, July 25, 2014, Russ Combs (rucombs) <rucombs () cisco com> wrote:________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Friday, July 25, 2014 1:42 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port This is the shutdown dump on Network Tap mode http://pastebin.com/ADWvJAZQ The Shutdown dump on pcap readback mode http://pastebin.com/afVJbawK The difference i see is in Stream5 Statistics and the invocation of HTTP Inspect on pcap readback mode. * There is a bigger difference. Check your protocol breakdown counts. Half the packets from the network are discarded. * This is why I asked if your pcap was captured from the box you are running Snort. If you can capture a pcap there you can reproduce the problem in read back and compare pcaps. On Thu, Jul 24, 2014 at 10:27 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:Did you capture the pcap on the box where you are running Snort? How do Snort's shutdown stats compare between pcap readback and network tap modes? ________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Thursday, July 24, 2014 11:57 AM To: James Lay; snort-devel () lists sourceforge net Cc: snort-users () lists sourceforge net Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port Hi, Can someone on dev list help me ? I have the snort configured on Mirror Port of a Switch . Snort fails to detect HTTP but , It does detect the TCP and Stream5. The Stream5 Stats only show that it Tracks . I have the http_inspect and http_inspect_server preprocessors are configured. But when configured on read from pcap file , with the same config the HTTP is detected . Can someone shed some light on whats missing in my configuration on live Mirror port mode? # snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv The config file : http://pastebin.com/qUpTfRLY The Snort Stats : http://pastebin.com/ADWvJAZQ With a pcap file , the HTTP Inspect is fine : snort -c /snort-2.9.6.1/etc/snort.conf -r /data/test.pcap Thanks, On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay () slave-tothe-box net> wrote:On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:Did try with For Snort : ./configure --with-dnet-includes=/opt/include/ --with-dnet-libraries=/opt/lib --enable-sourcefire --enable-non-ether-decoders The behaviour is the same For DAQ : # ./configure --with-dnet-includes=/opt/include/ --with-dnet-libraries=/opt/lib Build AFPacket DAQ module.. : no Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes Not sure why AFPacket fails. But since the testbed is TAP mode , i did not care. On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 10:41, Anand Raj Manickam wrote:My understanding was you do not need afpacket for mirror port, since the setting was pcap - passive. Please correct me if i m wrong. snort was configured with ./configure --with-dnet-includes=/xyz --with-dnet-libraries=/xyz DAQ without any parameters On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 09:52, Anand Raj Manickam wrote:Hi James, I have attached the pcap. Thanks, AnandTechnically I believe you are right, but at this stage, I'm playing "spot the differences". My snort config line: ./configure --prefix=/opt --enable-sourcefire --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders and my daq config and and snippet of that output: ./configure --prefix=/usr Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes How does your differ? JamesAt this point I'm out of ideas...perhaps one of the devs can assist. James ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 25)
- HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 25)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 28)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)