Snort mailing list archives
Strange HTTP results
From: Michael Papagiorgio <mrapagiorgio () gmail com>
Date: Sat, 15 Dec 2012 22:21:31 -0500
Dear snort gurus, I am trying to see why a rule didn't fire on a snort 2.9.4 system, but it does on a different system running snort 2.9.2.1. I am reading from the same pcap file on each system. The rule hits on a certain HTTP POST pattern. The 2.9.2.1 system correctly identifies and throws an alert. 2.9.4 doesn't even see any HTTP POSTs in the pcap at all. I upgraded from 2.9.3.2 to to 2.9.4 to see if I could get it to work, but neither version worked. The rule will never fire if the issue is so low level that snort sees no POSTs. I tried using the working 2.9.2.1 snort.conf on the 2.9.4 system, but that didn't work either. Can someone give me an idea where to look, this is really vexing me. Output from the runs: works: ,,_ -*> Snort! <*- o" )~ Version 2.9.2.1 IPv6 (Build 107) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.2.1 Using PCRE version: 8.21 2011-12-12 Using ZLIB version: 1.2.3.4 =============================================================================== Packet I/O Totals: Received: 18027 Analyzed: 18027 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 21082 (100.000%) VLAN: 0 ( 0.000%) IP4: 21082 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 21082 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 3055 ( 14.491%) Total: 21082 =============================================================================== Action Stats: Alerts: 3050 ( 14.467%) Logged: 3050 ( 14.467%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 18027 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 =============================================================================== Stream5 statistics: Total sessions: 3124 TCP sessions: 3124 UDP sessions: 0 ICMP sessions: 0 IP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 IP Prunes: 0 TCP StreamTrackers Created: 3124 TCP StreamTrackers Deleted: 3124 TCP Timeouts: 875 TCP Overlaps: 0 TCP Segments Queued: 3055 TCP Segments Released: 3055 TCP Rebuilt Packets: 3051 TCP Segments Used: 3051 TCP Discards: 196 TCP Gaps: 215 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 45 Internal Events: 0 TCP Port Filter Dropped: 0 Inspected: 0 Tracked: 18027 UDP Port Filter Dropped: 0 Inspected: 0 Tracked: 0 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 3098 GET methods: 1 HTTP Request Headers extracted: 3098 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 0 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 6154 =============================================================================== dcerpc2 Preprocessor Statistics Total sessions: 0 =============================================================================== =============================================================================== Snort exiting doesn't work: ,,_ -*> Snort! <*- o" )~ Version 2.9.4 (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.2.1 Using PCRE version: 8.30 2012-02-04 Using ZLIB version: 1.2.3.4 Packet I/O Totals: Received: 18027 Analyzed: 18027 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 21082 (100.000%) VLAN: 0 ( 0.000%) IP4: 21082 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 21082 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 3055 ( 14.491%) Total: 21082 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 18027 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 =============================================================================== Stream5 statistics: Total sessions: 3124 TCP sessions: 3124 UDP sessions: 0 ICMP sessions: 0 IP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 IP Prunes: 0 TCP StreamTrackers Created: 3124 TCP StreamTrackers Deleted: 3124 TCP Timeouts: 875 TCP Overlaps: 0 TCP Segments Queued: 3055 TCP Segments Released: 3055 TCP Rebuilt Packets: 3051 TCP Segments Used: 3051 TCP Discards: 196 TCP Gaps: 0 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 1195 Internal Events: 0 TCP Port Filter Dropped: 0 Inspected: 0 Tracked: 18027 UDP Port Filter Dropped: 0 Inspected: 0 Tracked: 0 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 0 HTTP Request Headers extracted: 0 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 0 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 6154 =============================================================================== SMTP Preprocessor Statistics Total sessions : 0 Max concurrent sessions : 0 =============================================================================== dcerpc2 Preprocessor Statistics Total sessions: 0 =============================================================================== =============================================================================== Snort exiting
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Strange HTTP results Michael Papagiorgio (Dec 15)
- Re: Strange HTTP results Jeremy Hoel (Dec 15)
- Re: Strange HTTP results Joel Esler (Dec 16)