Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: Anand Raj Manickam <anandrm () gmail com>
Date: Wed, 6 Aug 2014 15:17:03 +0530
On Wed, Aug 6, 2014 at 12:48 AM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Tuesday, August 05, 2014 4:05 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port* You have something weird going on. Now 6 are are eth:ip4:tcp and 4 are eth:other. Previously they were eth:ip4:other. * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can catch it and see what's up. You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.I have the gdb breaks set , i see that in Live packet capture mode , there appears to be a internal fragmentation of the packet though the MTU is 1500, the max size of packet in this capture is only 556. If you look at the pkt structs data , i see Characters . But when i played with pcap , i never saw character data. ( this is the reason why pcap works ) * The problem does not appear to be with the length. Your 556 byte server response is the actual, full size: eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556 * You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer protocol is. That is why decode is failing in these functions. * For example, in the eth function you can execute this command: p /x p->eh->ether_type * And in the ip4 function you can execute this command: p /x proto
Sorry .. i forgot to mention , that i did see random values on ether_type (0x40,0x203a etc) , where as when i ran with the pcap , the ptype was always 0x8 . Not sure why the packets are split .. Below is the DUMP of gdb on tap mode : Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $28 = 0x40 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $29 = 0x40 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $30 = 0x8 (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7494064 "\255L", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->iph->ip_proto $31 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $32 = 0x203a (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $33 = 0x8 (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->iph->ip_proto $34 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $35 = 0x7475 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496064 "\255L", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->eh->ether_type $36 = 0x8 (gdb) p /x p->iph->ip_proto $37 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650 650 { (gdb) c Continuing.
I have the GDB dump below , with bt . I have turned off all offload settings # ethtool -k eth0 Offload parameters for eth0: rx-checksumming: off tx-checksumming: off scatter-gather: off tcp segmentation offload: off udp fragmentation offload: off generic segmentation offload: off Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 650 { (gdb) bt #0 DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 #1 0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0) at snort.c:1821 #2 0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704 #3 0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW", pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at daq_pcap.c:361 #4 0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8, max_packets=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap-linux.c:4071 #5 0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap.c:497 #6 0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_pcap.c:379 #7 0x5666eb1b in daq_acquire_with_meta (module=0x566bba60 <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_mod_ops.c:133 #8 0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830 <PacketCallback>, user=0x0) at sfdaq.c:540 #9 0x565933bf in PacketLoop () at snort.c:3210 #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907 #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650 650 { (gdb) c Continuing. c
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 07)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 07)