Snort mailing list archives

Re: [Snort-users] HTTP INSPECT fails on Mirror Port

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Fri, 25 Jul 2014 15:34:02 +0000

________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Friday, July 25, 2014 1:42 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port

This is the shutdown dump on Network Tap mode  http://pastebin.com/ADWvJAZQ
The Shutdown dump on pcap readback mode http://pastebin.com/afVJbawK
The difference i see is in Stream5 Statistics and the invocation of
HTTP Inspect on pcap readback mode.

* There is a bigger difference.  Check your protocol breakdown counts.  Half the packets from the network are discarded.

* This is why I asked if your pcap was captured from the box you are running Snort.  If you can capture a pcap there 
you can reproduce the problem in read back and compare pcaps.

On Thu, Jul 24, 2014 at 10:27 PM, Russ Combs (rucombs)
<rucombs () cisco com> wrote:

Did you capture the pcap on the box where you are running Snort?  How do Snort's shutdown stats compare between pcap 
readback and network tap modes?

________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Thursday, July 24, 2014 11:57 AM
To: James Lay; snort-devel () lists sourceforge net
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port

Hi,
Can someone on dev list help me ?

I have the snort configured on Mirror Port of a Switch . Snort fails
to detect HTTP but , It does detect the TCP and Stream5.
The Stream5 Stats only show that it Tracks . I have the http_inspect
and http_inspect_server preprocessors are configured.
But when configured on read from pcap file , with the same config the
HTTP is detected .
Can someone shed some light on whats missing in my configuration on
live Mirror port mode?

# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv

The config file : http://pastebin.com/qUpTfRLY
The Snort Stats : http://pastebin.com/ADWvJAZQ

With a pcap file , the HTTP Inspect is fine :
 snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap

Thanks,

On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay () slave-tothe-box net> wrote:

On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:

Did try with
For Snort :
./configure --with-dnet-includes=/opt/include/
--with-dnet-libraries=/opt/lib --enable-sourcefire
--enable-non-ether-decoders
The behaviour is the same

For DAQ : # ./configure --with-dnet-includes=/opt/include/
--with-dnet-libraries=/opt/lib
Build AFPacket DAQ module.. : no
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

Not sure why AFPacket fails. But since the testbed is TAP mode , i did not care.


On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net> wrote:

On 2014-07-21 10:41, Anand Raj Manickam wrote:

My understanding was you do not need afpacket for mirror port, since
the setting was pcap - passive. Please correct me if i m wrong.
snort was configured with ./configure --with-dnet-includes=/xyz
--with-dnet-libraries=/xyz
DAQ without any parameters

On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net>
wrote:

On 2014-07-21 09:52, Anand Raj Manickam wrote:

Hi James,
I have attached the pcap.
Thanks,
Anand


Technically I believe you are right, but at this stage, I'm playing
"spot the differences".  My snort config line:

./configure --prefix=/opt --enable-sourcefire
--with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders

and my daq config and and snippet of that output:

./configure --prefix=/usr

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes

How does your differ?

James


At this point I'm out of ideas...perhaps one of the devs can assist.

James


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: HTTP INSPECT fails on Mirror Port, (continued)
- - - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 22)
    - Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 23)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
    - Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
    - Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 24)
    - Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
    - Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 25)
    - HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 25)
    - Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 28)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 31)
    - Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 31)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
    - Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
    - Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
    - Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
    - Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)

(Thread continues...)