Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Incomplete Header with HTTP Inspect Original Client IP enabled

From: Daniel Garczek <dgarczek () gmail com>
Date: Thu, 13 Oct 2016 14:06:03 -0500
Hi Snort Community,

I am using the enable_xff option within the http inspect preprocessor to
parse and log the original client IP present in the X-Forwarded-For or
True-Client-IP HTTP request headers. As soon as I launch Snort, I start
getting alerts labeled http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF
HEADER.

Looking at the payload in Snorby, I notice that the X-Forwarded-For or
True-Client-IP is incomplete. Usually one or two octets of the IP address
are missing, suggesting that the whole HTTP Header is not getting processed.

Below is an example payload from Snorby. I shortened the GET, User-Agent,
and Cookie fields - they're usually very long.











*GET./news-and-events/article-insider-inbox/article-1/Theres-nothing-like-Lambeau-on-gamedays...(shortened).x-fb-net-sid:.1818.User-Agent:.Mozilla/5.0.(Linux;.Android.6.0.1;.SM-G900V.Build/MMB29M;.wv).AppleWebKit/537.36.(KHTML,.like.Gecko)...(shortened).Accept:.text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8.X-Purpose:.preview.x-fb-sim-hni:.311480.x-fb-net-hni:.311480.Referer:.http://m.facebook.com/
<http://m.facebook.com/>.Cookie:.__psrw=688f1322-3413-4d61-98d0-ace88f7da8d9;...(shortened).x-fb-http-engine:.Liger.True-Client-IP:.216*

Snort is configured to output logs in unified2 format. When I use u2spewfoo
to look at the snort logs, the packet_length for the "INVALID IP IN
TRUE-CLIENT-IP/XFF HEADER" events is always at 1434 and the http header
looks incomplete at the bottom.

I've been trying different options within the http inspect preprocessor
configuration, but nothing seems to work.

I'm running Snort Version 2.9.8.3

Below is my http_inspect configuration:



































*# HTTP normalization and anomaly detection.  For more information, see
README.http_inspectpreprocessor http_inspect: global iis_unicode_map
unicode.map 1252 compress_depth 65535 decompress_depth 65535preprocessor
http_inspect_server: server default \    http_methods { GET POST PUT SEARCH
MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK
OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE
PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST
CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
chunk_length 500000 \    server_flow_depth 0 \    client_flow_depth 0 \
post_depth 65495 \    oversize_dir_length 500 \    max_header_length 750 \
  max_headers 100 \    max_spaces 200 \    small_chunk_length { 10 5 } \
ports { 80 } \    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }
\     enable_cookie \    extended_response_inspection \    inspect_gzip \
  normalize_utf \    unlimited_decompress \    normalize_javascript \
apache_whitespace no \    ascii no \    bare_byte no \    directory no \
double_decode no \    iis_backslash no \    iis_delimiter no \
iis_unicode no \    multi_slash no \    utf_8 no \    u_encode yes \
webroot no \    enable_xff \    xff_headers { [ incap-client-ip 1 ] [
true-client-ip 2 ] [ x-forwarded-for 3 ] }*

Any advice is greatly appreciated.

Dan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: