Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP INSPECT fails on Mirror Port

From: Anand Raj Manickam <anandrm () gmail com>
Date: Mon, 4 Aug 2014 13:31:15 +0530
On Thu, Jul 31, 2014 at 5:28 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:


________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Thursday, July 31, 2014 7:21 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject: Re: HTTP INSPECT fails on Mirror Port

I do not see any duplicate packets on the mirror port .
I have the screen shot of snort :

http://pastebin.com/dcYa4v2G

Live packet capture parallely

* It looks like you fixed something because the duplicates in the pcap you sent are not shown below or in the 
shutdown counts.  However, those counts still show about half of the packets not processed by stream.  Of the 11 
packets, only 6 are decoded as TCP and 5 are discarded by the decoder.  Most likely all traffic from your server is 
not decoded properly.


There is nothing fixed in the pcap , looks like sometimes there is a
random behavior in the switch , where i do see some dup packets. I m
sure why those packets are decoded.


* Please send an updated pcap.  Also, configure Snort to run in log mode and write a pcap (run Snort with -L but w/o 
-c).  You should see the same protocol breakdown counts, 11 total and 6 TCP.  Send that pcap too for comparison.


This is the dump with the snort  -L -i eth0 (w/o -c)
http://pastebin.com/RpQEMA8g

I have attached the pcap - snort-L.pcap and the log file.






 # tcpdump -i eth0 -nn -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
04:15:24.568286 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
(0x0800), length 74: 10.11.117.90.52465 > 192.168.1.110.80: Flags [S],
seq 1075122842, win 4380, options [mss 1460,sackOK,TS val 2417285661
ecr 0,nop,wscale 7], length 0
04:15:24.568369 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
(0x0800), length 74: 192.168.1.110.80 > 10.11.17.90.52465: Flags [S.],
seq 1484212294, ack 1075122843, win 14480, options [mss 1460,sackOK,TS
val 306401729 ecr 2417285661,nop,wscale 5], length 0
04:15:24.568564 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
(0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
ack 1, win 35, options [nop,nop,TS val 2417285661 ecr 306401729],
length 0
04:15:24.568699 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
(0x0800), length 167: 10.11.17.90.52465 > 192.168.1.110.80: Flags
[P.], seq 1:102, ack 1, win 35, options [nop,nop,TS val 2417285661 ecr
306401729], length 101
04:15:24.568703 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
(0x0800), length 66: 192.168.1.110.80 > 10.11.17.90.52465: Flags [.],
ack 102, win 453, options [nop,nop,TS val 306401729 ecr 2417285661],
length 0
04:15:24.569410 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
(0x0800), length 556: 192.168.1.110.80 > 10.11.17.90.52465: Flags
[P.], seq 1:491, ack 102, win 453, options [nop,nop,TS val 306401729
ecr 2417285661], length 490
04:15:24.569722 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
(0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
ack 491, win 43, options [nop,nop,TS val 2417285661 ecr 306401729],
length 0
04:15:24.570059 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
(0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [F.],
seq 102, ack 491, win 43, options [nop,nop,TS val 2417285662 ecr
306401729], length 0
04:15:24.570137 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
(0x0800), length 66: 192.168.1.110.80 > 10.11.17.90.52465: Flags [F.],
seq 491, ack 103, win 453, options [nop,nop,TS val 306401729 ecr
2417285662], length 0
04:15:24.570285 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
(0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
ack 492, win 43, options [nop,nop,TS val 2417285662 ecr 306401729],
length 0



On Mon, Jul 28, 2014 at 9:27 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:


________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Friday, July 25, 2014 8:53 PM

To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net;
snort-users () lists sourceforge net
Subject: HTTP INSPECT fails on Mirror Port

Yes..the pap was captured in the same box running snort.
The capture was on the port configured on mirror.

* Looks like your mirror is sending two copies of all TCP packets to your
sensor.  Not sure why you see different results but you might have better
luck if you eliminate the duplicates.


On Friday, July 25, 2014, Russ Combs (rucombs) <rucombs () cisco com> wrote:



________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Friday, July 25, 2014 1:42 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net;
snort-users () lists sourceforge net
Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port

This is the shutdown dump on Network Tap mode
http://pastebin.com/ADWvJAZQ
The Shutdown dump on pcap readback mode http://pastebin.com/afVJbawK
The difference i see is in Stream5 Statistics and the invocation of
HTTP Inspect on pcap readback mode.

* There is a bigger difference.  Check your protocol breakdown counts.
Half the packets from the network are discarded.

* This is why I asked if your pcap was captured from the box you are
running Snort.  If you can capture a pcap there you can reproduce the
problem in read back and compare pcaps.

On Thu, Jul 24, 2014 at 10:27 PM, Russ Combs (rucombs)
<rucombs () cisco com> wrote:

Did you capture the pcap on the box where you are running Snort?  How do
Snort's shutdown stats compare between pcap readback and network tap modes?

________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Thursday, July 24, 2014 11:57 AM
To: James Lay; snort-devel () lists sourceforge net
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror
Port

Hi,
Can someone on dev list help me ?

I have the snort configured on Mirror Port of a Switch . Snort fails
to detect HTTP but , It does detect the TCP and Stream5.
The Stream5 Stats only show that it Tracks . I have the http_inspect
and http_inspect_server preprocessors are configured.
But when configured on read from pcap file , with the same config the
HTTP is detected .
Can someone shed some light on whats missing in my configuration on
live Mirror port mode?

# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv

The config file : http://pastebin.com/qUpTfRLY
The Snort Stats : http://pastebin.com/ADWvJAZQ

With a pcap file , the HTTP Inspect is fine :
 snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap

Thanks,

On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay () slave-tothe-box net>
wrote:

On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:

Did try with
For Snort :
./configure --with-dnet-includes=/opt/include/
--with-dnet-libraries=/opt/lib --enable-sourcefire
--enable-non-ether-decoders
The behaviour is the same

For DAQ : # ./configure --with-dnet-includes=/opt/include/
--with-dnet-libraries=/opt/lib
Build AFPacket DAQ module.. : no
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

Not sure why AFPacket fails. But since the testbed is TAP mode , i did
not care.


On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net>
wrote:

On 2014-07-21 10:41, Anand Raj Manickam wrote:

My understanding was you do not need afpacket for mirror port,
since
the setting was pcap - passive. Please correct me if i m wrong.
snort was configured with ./configure --with-dnet-includes=/xyz
--with-dnet-libraries=/xyz
DAQ without any parameters

On Mon, Jul 21, 2014 at 9:39 PM, James Lay
<jlay () slave-tothe-box net>
wrote:

On 2014-07-21 09:52, Anand Raj Manickam wrote:

Hi James,
I have attached the pcap.
Thanks,
Anand


Technically I believe you are right, but at this stage, I'm playing
"spot the differences".  My snort config line:

./configure --prefix=/opt --enable-sourcefire
--with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders

and my daq config and and snippet of that output:

./configure --prefix=/usr

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes

How does your differ?

James


At this point I'm out of ideas...perhaps one of the devs can assist.

James



------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Attachment: snort-L.pcap
Description: 

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: