Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: Anand Raj Manickam <anandrm () gmail com>
Date: Mon, 21 Jul 2014 22:11:35 +0530
My understanding was you do not need afpacket for mirror port, since the setting was pcap - passive. Please correct me if i m wrong. snort was configured with ./configure --with-dnet-includes=/xyz --with-dnet-libraries=/xyz DAQ without any parameters On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2014-07-21 09:52, Anand Raj Manickam wrote:Hi James, I have attached the pcap. Thanks, Anand On Mon, Jul 21, 2014 at 9:02 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 09:14, Anand Raj Manickam wrote:It works fine with a pcap , the issue i m facing is when configured with a SPAN/Mirror port of switch where the traffic is mirrored from the Host. It hits till the TCP (only tracked at Stream 5) but does not hit the HTTP Inspect. On Mon, Jul 21, 2014 at 7:55 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 05:51, Anand Raj Manickam wrote:Any Suggestions ? On Fri, Jul 18, 2014 at 5:28 PM, Anand Raj Manickam <anandrm () gmail com> wrote:I do not see a change , its the same. Screen shot : http://pastebin.com/XpcHjRqB On Fri, Jul 18, 2014 at 5:21 PM, Joel Esler (jesler) <jesler () cisco com> wrote:Can you add -k none to the command line and see what happens? -- Joel Esler Sent from my iPhoneOn Jul 18, 2014, at 7:49, "Anand Raj Manickam" <anandrm () gmail com> wrote: Hi, I have the snort configured on Mirror Port of a Switch . Snort fails to detect HTTP but , It does detect the TCP and Stream5. The Stream5 Stats only show that it Tracks . I have the http_inspect and http_inspect_server preprocessors are configured. But when configured on read from pcap file , with the same config the HTTP is detected . Can someone shed some light on whats missing in my configuration on live Mirror port mode? # snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv The config file : http://pastebin.com/qUpTfRLY The Snort Stats : http://pastebin.com/ADWvJAZQ With a pcap file , the HTTP Inspect is fine : snort -c /snort-2.9.6.1/etc/snort.conf -r /data/test.pcap Thanks,Can you provide a sanitized pcap? JamesI understand...please provide a capture of the traffic captured at the span/mirrored port. JamesIt looks like your snort is missing afpacket..mine shown below: Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv afpacket(v5): live inline multi unpriv How did you ./configure snort and daq? Here's a run using your pcap and your snort.conf Commencing packet processing (pid=5599) =============================================================================== Run time for packet processing was 0.984 seconds Snort processed 24 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 24 Preprocessor Profile Statistics (all) ========================================================== Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total === ============ ===== ====== ===== ========= ========= ============= ============ 1 httpinspect 0 4 4 122 30.69 32.73 32.73 2 s5 0 20 20 255 12.79 68.22 68.22 1 s5tcp 1 20 20 241 12.10 94.56 64.51 1 s5TcpState 2 19 19 218 11.51 90.35 58.28 1 s5TcpFlush 3 2 2 13 6.99 6.40 3.73 1 s5TcpProcessRebuilt 4 2 2 111 55.58 794.95 29.64 2 s5TcpBuildPacket 4 2 2 0 0.43 6.18 0.23 2 s5TcpData 3 4 4 26 6.73 12.32 7.18 1 s5TcpPktInsert 4 4 4 20 5.13 76.14 5.47 3 s5TcpPAF 3 17 17 21 1.25 9.68 5.64 2 s5TcpNewSess 2 1 1 7 7.25 3.00 1.93 3 mpse 1 1 1 1 1.61 inf 0.43 4 decode 0 24 24 35 1.50 9.57 9.57 5 eventq 0 50 50 4 0.10 1.31 1.31 total total 0 24 24 375 15.63 0.00 0.00 Rule Profile Statistics (all rules) ========================================================== No rules were profiled =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 2932736 Bytes in mapped regions (hblkhd): 6868992 Total allocated space (uordblks): 1191904 Total free space (fordblks): 1740832 Topmost releasable block (keepcost): 5000 =============================================================================== Packet I/O Totals: Received: 24 Analyzed: 24 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 24 (100.000%) VLAN: 0 ( 0.000%) IP4: 20 ( 83.333%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 20 ( 83.333%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 4 ( 16.667%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 24 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 24 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 =============================================================================== Stream5 statistics: Total sessions: 1 TCP sessions: 1 UDP sessions: 0 ICMP sessions: 0 IP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 IP Prunes: 0 TCP StreamTrackers Created: 1 TCP StreamTrackers Deleted: 1 TCP Timeouts: 0 TCP Overlaps: 0 TCP Segments Queued: 2 TCP Segments Released: 2 TCP Rebuilt Packets: 2 TCP Segments Used: 2 TCP Discards: 0 TCP Gaps: 0 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0 Internal Events: 0 TCP Port Filter Filtered: 0 Inspected: 0 Tracked: 20 UDP Port Filter Filtered: 0 Inspected: 0 Tracked: 0 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 1 HTTP Request Headers extracted: 1 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 1 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 4 =============================================================================== ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port Joel Esler (jesler) (Jul 18)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 18)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Doug Burks (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 22)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 23)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 25)
- HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 25)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 28)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 18)
- Re: HTTP INSPECT fails on Mirror Port Joel Esler (jesler) (Jul 18)