Re: HTTP Inspect with only a GET request.

[Russ Combs <rcombs () sourcefire com>]

On Tue, May 21, 2013 at 6:44 PM, Shawn Lee <dashawn () gmail com> wrote:
> Sorry if I missed the post where this was already discussed. I was unable to
> find it.
>
> When I run snort across a 2 packet sample consisting of a GET and a HTTP 200
> response Snort's http Inspect output is the following.
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          1
>     HTTP Request Headers extracted:       1
> ...
>     Total packets processed:              3
>
> When I run it just with the GET
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>    POST methods:                         0
>    GET methods:                          0
>    HTTP Request Headers extracted:       0
> ...
>    Total packets processed:              1
>
> I also turned on debugging and traced through the code and I can't find a
> way to turn an option on in order to tell snort to normalize across just a
> GET request. Without this I believe the snort process will not fire on
> uricontent if the response is lost due to packet loss, routing issues, or a
> web server that doesn't respond.
>
> Is there a way to get HTTP Inspect to normalize just a GET request without a
> response so I can use http rules?

Either add a TCP ack to the GET or do the following:

a.  add preprocessor normalize_tcp: ips to your conf
b.  add --daq dump --daq-var load-mode=read-file -Q to your command line

> snort.conf
>
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>                              track_udp no, show_rebuilt_packets
> preprocessor stream5_tcp: policy first
>
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 }
>
>
> Cmd
>
> ./snort -c /tmp/snort/snort.conf -r /tmp/snort/anon.pcap -l /tmp/ -k none
>
> ./snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4.6 GRE (Build 73)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 8.12 2011-01-15
>            Using ZLIB version: 1.2.3.4
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!