Snort mailing list archives
Re: Is that ok to use tcpdump 4.0 for snort on Centos 6.5
From: Jutichai Thongkrachai <thsecmaniac () gmail com>
Date: Tue, 22 Jul 2014 06:45:10 +0700
To Waldo, In the second paragraph of the second page, William said the version of tcpdump must be more than 4.1 that make me have the question. :-) Jutichai 2014-07-22 6:17 GMT+07:00 <snort-users-request () lists sourceforge net>:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: HTTP INSPECT fails on Mirror Port (Anand Raj Manickam) 2. Re: HTTP INSPECT fails on Mirror Port (James Lay) 3. Re: Is that ok to use tcpdump 4.0 for snort on Centos 6.5 (waldo kitty) 4. Winsnort on virtual machine (Alan Gao) 5. Re: Winsnort on virtual machine (Michael Steele) ---------- จดหมายที่ถูกส่งต่อ ---------- From: Anand Raj Manickam <anandrm () gmail com> To: James Lay <jlay () slave-tothe-box net> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netDate: Mon, 21 Jul 2014 22:11:35 +0530 Subject: Re: [Snort-users] HTTP INSPECT fails on Mirror Port My understanding was you do not need afpacket for mirror port, since the setting was pcap - passive. Please correct me if i m wrong. snort was configured with ./configure --with-dnet-includes=/xyz --with-dnet-libraries=/xyz DAQ without any parameters On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 09:52, Anand Raj Manickam wrote:Hi James, I have attached the pcap. Thanks, Anand On Mon, Jul 21, 2014 at 9:02 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 09:14, Anand Raj Manickam wrote:It works fine with a pcap , the issue i m facing is when configured with a SPAN/Mirror port of switch where the traffic is mirrored from the Host. It hits till the TCP (only tracked at Stream 5) but does not hit the HTTP Inspect. On Mon, Jul 21, 2014 at 7:55 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 05:51, Anand Raj Manickam wrote:Any Suggestions ? On Fri, Jul 18, 2014 at 5:28 PM, Anand Raj Manickam <anandrm () gmail com> wrote:I do not see a change , its the same. Screen shot : http://pastebin.com/XpcHjRqB On Fri, Jul 18, 2014 at 5:21 PM, Joel Esler (jesler) <jesler () cisco com> wrote:Can you add -k none to the command line and see what happens? -- Joel Esler Sent from my iPhoneOn Jul 18, 2014, at 7:49, "Anand Raj Manickam" <anandrm () gmail com> wrote: Hi, I have the snort configured on Mirror Port of a Switch . Snort fails to detect HTTP but , It does detect the TCP and Stream5. The Stream5 Stats only show that it Tracks . I have the http_inspect and http_inspect_server preprocessors are configured. But when configured on read from pcap file , with the same config the HTTP is detected . Can someone shed some light on whats missing in my configuration on live Mirror port mode? # snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv The config file : http://pastebin.com/qUpTfRLY The Snort Stats : http://pastebin.com/ADWvJAZQ With a pcap file , the HTTP Inspect is fine : snort -c /snort-2.9.6.1/etc/snort.conf -r /data/test.pcap Thanks,Can you provide a sanitized pcap? JamesI understand...please provide a capture of the traffic captured at the span/mirrored port. JamesIt looks like your snort is missing afpacket..mine shown below: Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv afpacket(v5): live inline multi unpriv How did you ./configure snort and daq? Here's a run using your pcap and your snort.conf Commencing packet processing (pid=5599)===============================================================================Run time for packet processing was 0.984 seconds Snort processed 24 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 24 Preprocessor Profile Statistics (all) ========================================================== Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total === ============ ===== ====== ===== ========= ========= ============= ============ 1 httpinspect 0 4 4 122 30.69 32.73 32.73 2 s5 0 20 20 255 12.79 68.22 68.22 1 s5tcp 1 20 20 241 12.10 94.56 64.51 1 s5TcpState 2 19 19 218 11.51 90.35 58.28 1 s5TcpFlush 3 2 2 13 6.99 6.40 3.73 1 s5TcpProcessRebuilt 4 2 2 111 55.58 794.95 29.64 2 s5TcpBuildPacket 4 2 2 0 0.43 6.18 0.23 2 s5TcpData 3 4 4 26 6.73 12.32 7.18 1 s5TcpPktInsert 4 4 4 20 5.13 76.14 5.47 3 s5TcpPAF 3 17 17 21 1.25 9.68 5.64 2 s5TcpNewSess 2 1 1 7 7.25 3.00 1.93 3 mpse 1 1 1 1 1.61 inf 0.43 4 decode 0 24 24 35 1.50 9.57 9.57 5 eventq 0 50 50 4 0.10 1.31 1.31 total total 0 24 24 375 15.63 0.00 0.00 Rule Profile Statistics (all rules) ========================================================== No rules were profiled===============================================================================Memory usage summary: Total non-mmapped bytes (arena): 2932736 Bytes in mapped regions (hblkhd): 6868992 Total allocated space (uordblks): 1191904 Total free space (fordblks): 1740832 Topmost releasable block (keepcost): 5000===============================================================================Packet I/O Totals: Received: 24 Analyzed: 24 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0===============================================================================Breakdown by protocol (includes rebuilt packets): Eth: 24 (100.000%) VLAN: 0 ( 0.000%) IP4: 20 ( 83.333%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 20 ( 83.333%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 4 ( 16.667%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 24===============================================================================Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 24 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%)===============================================================================Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0===============================================================================Stream5 statistics: Total sessions: 1 TCP sessions: 1 UDP sessions: 0 ICMP sessions: 0 IP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 IP Prunes: 0 TCP StreamTrackers Created: 1 TCP StreamTrackers Deleted: 1 TCP Timeouts: 0 TCP Overlaps: 0 TCP Segments Queued: 2 TCP Segments Released: 2 TCP Rebuilt Packets: 2 TCP Segments Used: 2 TCP Discards: 0 TCP Gaps: 0 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0 Internal Events: 0 TCP Port Filter Filtered: 0 Inspected: 0 Tracked: 20 UDP Port Filter Filtered: 0 Inspected: 0 Tracked: 0===============================================================================HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 1 HTTP Request Headers extracted: 1 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 1 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 4===============================================================================------------------------------------------------------------------------------Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news! ---------- จดหมายที่ถูกส่งต่อ ---------- From: James Lay <jlay () slave-tothe-box net> To: <snort-users () lists sourceforge net> Cc: Date: Mon, 21 Jul 2014 11:06:12 -0600 Subject: Re: [Snort-users] HTTP INSPECT fails on Mirror Port On 2014-07-21 10:41, Anand Raj Manickam wrote:My understanding was you do not need afpacket for mirror port, since the setting was pcap - passive. Please correct me if i m wrong. snort was configured with ./configure --with-dnet-includes=/xyz --with-dnet-libraries=/xyz DAQ without any parameters On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 09:52, Anand Raj Manickam wrote:Hi James, I have attached the pcap. Thanks, AnandTechnically I believe you are right, but at this stage, I'm playing "spot the differences". My snort config line: ./configure --prefix=/opt --enable-sourcefire --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders and my daq config and and snippet of that output: ./configure --prefix=/usr Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes How does your differ? James ---------- จดหมายที่ถูกส่งต่อ ---------- From: waldo kitty <wkitty42 () windstream net> To: snort-users () lists sourceforge net Cc: Date: Mon, 21 Jul 2014 16:37:51 -0400 Subject: Re: [Snort-users] Is that ok to use tcpdump 4.0 for snort on Centos 6.5 On 7/21/2014 10:33 AM, Jutichai Thongkrachai wrote:Hello, I am newbie for Snort. I set up Snort 2.9.6 as this guide for CentOS: https://www.snort.org/documents/4 In this guide,William said Snort require tcpdump 4.1+ but the latest update of tcpdump is 4.0.0.3 for CentOS 6.5. Is that ok to use tcpdump 4.0 for Snort 2.9.6?you need to be more specific... AFAIK, tcpdump is an external tool used to capture and read pcap files... what is your use of tcpdump with snort? i looked at the referenced document and see only where they mention that you can use it to read the snort.log.xxxxxxxxxxxxxx pcap files... outside of that, it is not required... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ---------- จดหมายที่ถูกส่งต่อ ---------- From: Alan Gao <Alan.Gao () msistone com> To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netCc: Date: Mon, 21 Jul 2014 22:38:26 +0000 Subject: [Snort-users] Winsnort on virtual machine Hi - I installed Winsnort on a virtualbox win7 machine. The installation worked but nothing is logged. The vm has 2 virtual NIC, Host only and NAT. I was hoping the snort can listen on NAT nic so it can log any attack on the Host machine. Does this setup work or anyone has successes on it? Sincerely, -Alan ---------- จดหมายที่ถูกส่งต่อ ---------- From: "Michael Steele" <michaels () winsnort com> To: "'Alan Gao'" <Alan.Gao () msistone com>, < snort-users () lists sourceforge net> Cc: Date: Mon, 21 Jul 2014 19:17:22 -0400 Subject: Re: [Snort-users] Winsnort on virtual machine It's being used in multiple VMWare solutions, so I see no reason why it's not working in VirtualBox, other than configuration errors. Best regards, Michael... WINSNORT.com Management… -- ****************** Established ~ 2001 ******************* * Visit Us @ http://www.winsnort.com * * ~~ FREE WinIDS Snort installation guides ~~ * * ~~ FREE support forums ~~ * * Snort: Open Source Network IDS - http://www.snort.org * ********************************************************* -----Original Message----- From: Alan Gao [mailto:Alan.Gao () msistone com] Sent: Monday, July 21, 2014 6:38 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Winsnort on virtual machine Hi - I installed Winsnort on a virtualbox win7 machine. The installation worked but nothing is logged. The vm has 2 virtual NIC, Host only and NAT. I was hoping the snort can listen on NAT nic so it can log any attack on the Host machine. Does this setup work or anyone has successes on it? Sincerely, -Alan ---------------------------------------------------------------------------- -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Is that ok to use tcpdump 4.0 for snort on Centos 6.5 Jutichai Thongkrachai (Jul 21)
- Re: Is that ok to use tcpdump 4.0 for snort on Centos 6.5 waldo kitty (Jul 22)