Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort http_method not matching POST request on certain spanned networks

From: James P <jcpgeek () gmail com>
Date: Tue, 21 Jan 2014 13:18:29 -0600
I'm using Snort Version 2.9.5.6 GRE (Build 208) with the default snort.conf
that comes in the source tar (Only modified the rules statements).  I'm
just spanning the traffic on my switch and I put my eth1 in promiscuous
mode.

Here is my alert I setup:

alert tcp any any -> any 80 (content:"POST"; http_method; sid:2230002;)

Here is how I test my pcaps:
snort -C -v -d -r ./pcap/lab-test.pcap -c /etc/snort/snort-test2.conf -k
none -l .

I took two tcpdumps from two spanned networks and looked at the packets for
anything unusual.  Both captures had the right ASCII POST as well as the
right hex value.  I cannot figure out why my one spanned network cannot see
HTTP POST.  If I run snort on the working cap I can see HTTP information,
but not in the non-working pcap.  From what I can tell I should be able to
detect in the non-working capture.

Any information on how snort detects http headers would be appreciated.

Snort Verbose Output:
Not Working:
01/21-12:01:48.447911 x.x.x.x:51192 -> x.x.x.x:80
TCP TTL:128 TOS:0x0 ID:30224 IpLen:20 DgmLen:1296 DF
***AP*** Seq: 0x81CA930A  Ack: 0xE1FC3A4C  Win: 0xFF  TcpLen: 20
POST /radio/xmlrpc/v35?rid=7307623P&method=sync HTTP/1.1..Host:

Working:
01/21-11:58:14.494426 x.x.x.x:50924 -> x.x.x.x:80
TCP TTL:128 TOS:0x0 ID:12967 IpLen:20 DgmLen:1425 DF
***AP*** Seq: 0xEE1A0E9  Ack: 0x9862AEC3  Win: 0x100  TcpLen: 20
POST /radio/xmlrpc/v35?rid=7089063P&method=sync HTTP/1.1..Host:

TCPDump Output:
Working:
:/var/testing# tcpdump -XX -nr ./pcap/lab-test.pcap | grep POST
reading from file ./pcap/lab-test.pcap, link-type EN10MB (Ethernet)
        0x0030:  0100 9257 0000 504f 5354 202f 7261 6469  ...W..POST./radi
        0x0030:  00ff e3f4 0000 504f 5354 202f 7261 6469  ......POST./radi
        0x0030:  00fc 22de 0000 504f 5354 202f 7261 6469  .."...POST./radi
        0x0030:  0100 ab10 0000 504f 5354 202f 7261 6469  ......POST./radi
        0x0030:  00fe c1a3 0000 504f 5354 202f 7261 6469  ......POST./radi
        0x0040:  2c48 504f 5354 202f 6367 692d 6269 6e2f  ,HPOST./cgi-bin/
        0x0040:  2cc8 504f 5354 202f 6367 692d 6269 6e2f  ,.POST./cgi-bin/
        0x0040:  2cc8 504f 5354 202f 6367 692d 6269 6e2f  ,.POST./cgi-bin/
        0x0030:  0100 dd70 0000 504f 5354 202f 7261 6469  ...p..POST./radi

Not Working:
:/var/testing# tcpdump -XX -nr ./pcap/test2.pcap | grep POST
reading from file ./pcap/test2.pcap, link-type EN10MB (Ethernet)
        0x0030:  3a4c 5018 00ff b92d 0000 504f 5354 202f  :LP....-..POST./
        0x0030:  3bc1 5018 00fe 0ed2 0000 504f 5354 202f  ;.P.......POST./
        0x0030:  a44b 5018 0104 2e2d 0000 504f 5354 202f  .KP....-..POST./
        0x0030:  a758 5018 0101 c0c9 0000 504f 5354 202f  .XP.......POST./
        0x0030:  af7d 5018 0103 0a32 0000 504f 5354 202f  .}P....2..POST./

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: