Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Wed, 6 Aug 2014 15:58:27 +0000
________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Wednesday, August 06, 2014 5:47 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port On Wed, Aug 6, 2014 at 12:48 AM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Tuesday, August 05, 2014 4:05 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port* You have something weird going on. Now 6 are are eth:ip4:tcp and 4 are eth:other. Previously they were eth:ip4:other. * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can catch it and see what's up. You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.I have the gdb breaks set , i see that in Live packet capture mode , there appears to be a internal fragmentation of the packet though the MTU is 1500, the max size of packet in this capture is only 556. If you look at the pkt structs data , i see Characters . But when i played with pcap , i never saw character data. ( this is the reason why pcap works ) * The problem does not appear to be with the length. Your 556 byte server response is the actual, full size: eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556 * You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer protocol is. That is why decode is failing in these functions. * For example, in the eth function you can execute this command: p /x p->eh->ether_type * And in the ip4 function you can execute this command: p /x proto
Sorry .. i forgot to mention , that i did see random values on ether_type (0x40,0x203a etc) , where as when i ran with the pcap , the ptype was always 0x8 . Not sure why the packets are split .. * OK, we are getting closer. Please break on the pc.other++ lines only. Those are where the packets stop getting decoded because of an unrecognized type. * The values you are printing are in network byte order, so the eth 0x80 is actually 0x0800 which indicates IP. The IP 0x6 is TCP. The only other value your pcap has is eth 0x0806 which indicates ARP. The rest of the values below are most likely indicative of the problem you have. * Why do you say "the packets are split"? Do the lengths not correspond to the packets in your pcap? Below is the DUMP of gdb on tap mode : Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $28 = 0x40 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $29 = 0x40 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $30 = 0x8 (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7494064 "\255L", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->iph->ip_proto $31 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $32 = 0x203a (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $33 = 0x8 (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->iph->ip_proto $34 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $35 = 0x7475 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496064 "\255L", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->eh->ether_type $36 = 0x8 (gdb) p /x p->iph->ip_proto $37 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650 650 { (gdb) c Continuing.
I have the GDB dump below , with bt . I have turned off all offload settings # ethtool -k eth0 Offload parameters for eth0: rx-checksumming: off tx-checksumming: off scatter-gather: off tcp segmentation offload: off udp fragmentation offload: off generic segmentation offload: off Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 650 { (gdb) bt #0 DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 #1 0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0) at snort.c:1821 #2 0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704 #3 0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW", pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at daq_pcap.c:361 #4 0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8, max_packets=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap-linux.c:4071 #5 0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap.c:497 #6 0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_pcap.c:379 #7 0x5666eb1b in daq_acquire_with_meta (module=0x566bba60 <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_mod_ops.c:133 #8 0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830 <PacketCallback>, user=0x0) at sfdaq.c:540 #9 0x565933bf in PacketLoop () at snort.c:3210 #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907 #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650 650 { (gdb) c Continuing. c
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 07)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 07)