Re: no http traffic detected at all

[James Lay <jlay () slave-tothe-box net>]

On Fri, 2014-05-16 at 12:04 +0200, Edwin Smulders wrote:

> Hello,
>
> I have a problem I would like some help with, the http inspect preprocessor is not correctly identifying http 
> methods. In my test setup I have 2 machines, 1x Debian 7 (192.168.10.105) and 1x CentOS 6.5 (192.168.10.107). Both 
> are vmware guests.
> On both these machines I have made a tcpdump of some HTTP requests - just simple wgets.
>
> On both machines I also have a snort install - 2.9.6.1 from the rpm package and self compiled on the debian machine.
> At first I was thinking the debian install was having problems detecting HTTP traffic, but it’s slightly different.
>
> When I load the CentOS tcpdump in both installs, they both detect HTTP GET Requests.
> When I load the debian tcpdump in both installs, neither detects HTTP GET Requests.
>
> I’ve attached the tcpdumps (if that works to the mailing list, otherwise I’ll host them somewhere), can anybody help 
> me find out what is different?
>
> Note that the same thing happened in the (a bit older) snort version + config in the debian package manager.
>
> Config for the debian machine: http://paste.debian.net/99908/
> Config for the centos machine: http://paste.debian.net/99909/
> They should be similar except for paths. Most rules should be disabled, this is just about the http inspect 
> preprocessor detecting the correct methods.
>
> I have output logs for the following commands: 
>
> root@snorttest2:/home/esmulders/snort-2.9.6.1# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r 
> http-debian.pcap &> snort-debianpcap.log
> root@snorttest2:/home/esmulders/snort-2.9.6.1# /usr/local/bin/snort -c etc/snort.conf -H -U -A cmg -r 
> http-centos.pcap &> snort-centospcap.log
>
> snort-debianpcap.log: http://paste.debian.net/99910/
> snort-centospcap.log: http://paste.debian.net/99911/
>
> In these outputs the relevant lines are:
> GET methods:                          0 
> and
> GET methods:                          10
>
> Can somebody help me debug this? Let me know if you have debugging tips or if I can provide some more information.
> I’m available on Freenode/#snort as Dutchy for direct communication (european timezone/business hours work best for 
> me).
>
>
> Regards,
> Edwin
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Add "-k none" to your read and capture lines....checksum issue.

James

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!