Snort mailing list archives
Snort http_method not matching POST request on certain spanned networks
From: James P <jcpgeek () gmail com>
Date: Tue, 21 Jan 2014 13:18:29 -0600
I'm using Snort Version 2.9.5.6 GRE (Build 208) with the default snort.conf that comes in the source tar (Only modified the rules statements). I'm just spanning the traffic on my switch and I put my eth1 in promiscuous mode. Here is my alert I setup: alert tcp any any -> any 80 (content:"POST"; http_method; sid:2230002;) Here is how I test my pcaps: snort -C -v -d -r ./pcap/lab-test.pcap -c /etc/snort/snort-test2.conf -k none -l . I took two tcpdumps from two spanned networks and looked at the packets for anything unusual. Both captures had the right ASCII POST as well as the right hex value. I cannot figure out why my one spanned network cannot see HTTP POST. If I run snort on the working cap I can see HTTP information, but not in the non-working pcap. From what I can tell I should be able to detect in the non-working capture. Any information on how snort detects http headers would be appreciated. Snort Verbose Output: Not Working: 01/21-12:01:48.447911 x.x.x.x:51192 -> x.x.x.x:80 TCP TTL:128 TOS:0x0 ID:30224 IpLen:20 DgmLen:1296 DF ***AP*** Seq: 0x81CA930A Ack: 0xE1FC3A4C Win: 0xFF TcpLen: 20 POST /radio/xmlrpc/v35?rid=7307623P&method=sync HTTP/1.1..Host: Working: 01/21-11:58:14.494426 x.x.x.x:50924 -> x.x.x.x:80 TCP TTL:128 TOS:0x0 ID:12967 IpLen:20 DgmLen:1425 DF ***AP*** Seq: 0xEE1A0E9 Ack: 0x9862AEC3 Win: 0x100 TcpLen: 20 POST /radio/xmlrpc/v35?rid=7089063P&method=sync HTTP/1.1..Host: TCPDump Output: Working: :/var/testing# tcpdump -XX -nr ./pcap/lab-test.pcap | grep POST reading from file ./pcap/lab-test.pcap, link-type EN10MB (Ethernet) 0x0030: 0100 9257 0000 504f 5354 202f 7261 6469 ...W..POST./radi 0x0030: 00ff e3f4 0000 504f 5354 202f 7261 6469 ......POST./radi 0x0030: 00fc 22de 0000 504f 5354 202f 7261 6469 .."...POST./radi 0x0030: 0100 ab10 0000 504f 5354 202f 7261 6469 ......POST./radi 0x0030: 00fe c1a3 0000 504f 5354 202f 7261 6469 ......POST./radi 0x0040: 2c48 504f 5354 202f 6367 692d 6269 6e2f ,HPOST./cgi-bin/ 0x0040: 2cc8 504f 5354 202f 6367 692d 6269 6e2f ,.POST./cgi-bin/ 0x0040: 2cc8 504f 5354 202f 6367 692d 6269 6e2f ,.POST./cgi-bin/ 0x0030: 0100 dd70 0000 504f 5354 202f 7261 6469 ...p..POST./radi Not Working: :/var/testing# tcpdump -XX -nr ./pcap/test2.pcap | grep POST reading from file ./pcap/test2.pcap, link-type EN10MB (Ethernet) 0x0030: 3a4c 5018 00ff b92d 0000 504f 5354 202f :LP....-..POST./ 0x0030: 3bc1 5018 00fe 0ed2 0000 504f 5354 202f ;.P.......POST./ 0x0030: a44b 5018 0104 2e2d 0000 504f 5354 202f .KP....-..POST./ 0x0030: a758 5018 0101 c0c9 0000 504f 5354 202f .XP.......POST./ 0x0030: af7d 5018 0103 0a32 0000 504f 5354 202f .}P....2..POST./
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort http_method not matching POST request on certain spanned networks James P (Jan 21)