Re: Problem with http_header content modifier

[Frederico Araujo <araujof () gmail com>]

I figured out the problem!

I had some NIC offload features enabled, which were causing packet
fragmentation. After running the following command to disable all offload
features, snort started detecting my rules with http_head:

     for i in rx tx sg tso ufo gso gro lro; do sudo ethtool -K eth0 $i off;
done

Detailed information can be found here in case someone else runs into the
same problem:
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

Thanks,
Fred

On Fri, Jul 10, 2015 at 1:43 PM, Frederico Araujo <araujof () gmail com> wrote:

> Thanks for your reply, Waldo!
>
> does it work if you use http_raw_header instead?
> >
>
> No. I used http_raw_header and disabled fast_pattern:only, and it didn't
> alert.
>
> what does a packet capture of that packet look like?
> >
>
> 13:34:27.679160 IP (tos 0x0, ttl 128, id 24583, offset 0, flags [DF],
> proto TCP (6), length 128)
>     192.168.134.1.56096 > 192.168.134.138.80: Flags [P.], cksum 0xc44f
> (correct), seq 2669151629:2669151717, ack 2652066135, win 256, length 88
>     0x0000:  4500 0080 6007 4000 8006 0c94 c0a8 8601  E...`.@.........
>     0x0010:  c0a8 868a db20 0050 9f18 058d 9e13 5157  .......P......QW
>     0x0020:  5018 0100 c44f 0000 4745 5420 2f63 6769  P....O..GET./cgi
>     0x0030:  2d62 696e 2f74 6573 742d 6367 6920 4854  -bin/test-cgi.HT
>     0x0040:  5450 2f31 2e31 0d0a 486f 7374 3a20 3139  TP/1.1..Host:.19
>     0x0050:  322e 3136 382e 3133 342e 3133 380d 0a55  2.168.134.138..*U*
>     0x0060:  7365 722d 4167 656e 743a 2074 6573 740d  *ser-Agent:.test*.
>     0x0070:  0a41 6363 6570 743a 202a 2f2a 0d0a 0d0a  .Accept:.*/*....
>
>
> > lastly, i see you are using $EXTERNAL_NET and $HOME_NET and your snort is
> > on a
> > NATed VM...
> >
> > is your snort looking at the raw unNATed data on the outside interface of
> > your VM?
>
> Good question. How do I check that? This is how I'm starting snort:
>
> sudo /usr/local/bin/snort -A console -u snort -g snort -c
> /etc/snort/snort.conf -i eth0
>
> and this is my eth0 interface:
>
> eth0      Link encap:Ethernet  HWaddr 00:0c:29:c5:ec:b3
>           inet addr:192.168.134.138  Bcast:192.168.134.255
> Mask:255.255.255.0
>           inet6 addr: fe80::20c:29ff:fec5:ecb3/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:30891 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:15517 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:16854013 (16.8 MB)  TX bytes:2368127 (2.3 MB)
>
>
> > perhaps your $EXTERNAL_NET doesn't encompass the IP you are testing from?
> >
> > what are the contents of your $EXTERNAL_NET and $HOME_NET along with your
> > testing IP and your snort's IP?
>
>
> I think it does encompass the IP, because my simple ICMP and TCP rules
> (without http_header) work just fine.
> EXTERNAL_NET = any
> HOME_NET = 192.168.134.138 (I also tested with 192.168.134.0/24)
> testing IP = 192.168.134.1 (host)
> snort IP = 192.168.134.138 (VM where snort is installed)
>
> Thanks,
> Fred
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!