Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: Anand Raj Manickam <anandrm () gmail com>
Date: Wed, 6 Aug 2014 22:26:18 +0530
On Wed, Aug 6, 2014 at 10:04 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Wednesday, August 06, 2014 12:17 PM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port On Wed, Aug 6, 2014 at 9:28 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Wednesday, August 06, 2014 5:47 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port On Wed, Aug 6, 2014 at 12:48 AM, Russ Combs (rucombs) <rucombs () cisco com> wrote:________________________________________ From: Anand Raj Manickam [anandrm () gmail com] Sent: Tuesday, August 05, 2014 4:05 AM To: Russ Combs (rucombs) Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: HTTP INSPECT fails on Mirror Port* You have something weird going on. Now 6 are are eth:ip4:tcp and 4 are eth:other. Previously they were eth:ip4:other. * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can catch it and see what's up. You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.I have the gdb breaks set , i see that in Live packet capture mode , there appears to be a internal fragmentation of the packet though the MTU is 1500, the max size of packet in this capture is only 556. If you look at the pkt structs data , i see Characters . But when i played with pcap , i never saw character data. ( this is the reason why pcap works ) * The problem does not appear to be with the length. Your 556 byte server response is the actual, full size: eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556 * You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer protocol is. That is why decode is failing in these functions. * For example, in the eth function you can execute this command: p /x p->eh->ether_type * And in the ip4 function you can execute this command: p /x protoSorry .. i forgot to mention , that i did see random values on ether_type (0x40,0x203a etc) , where as when i ran with the pcap , the ptype was always 0x8 . Not sure why the packets are split .. * OK, we are getting closer. Please break on the pc.other++ lines only. Those are where the packets stop getting decoded because of an unrecognized type. * The values you are printing are in network byte order, so the eth 0x80 is actually 0x0800 which indicates IP. The IP 0x6 is TCP. The only other value your pcap has is eth 0x0806 which indicates ARP. The rest of the values below are most likely indicative of the problem you have. * Why do you say "the packets are split"? Do the lengths not correspond to the packets in your pcap?# The reason why i say packets split, if you have closer look at the DecodeEthPkt breakpoints below , eg: Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $32 = 0x203a Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $35 = 0x7475 I do not understand why a 556 byte packet needs to be in two passes, Where as when i played it with pcap i never saw a decode like this . The 'pkt' ptrs where always "", i never saw any characters in them . * Clearly what Snort thinks is the beginning of a packet is actually the middle. DecodeEthPkt() is the very beginning of processing the raw packet data coming up from the DAQ. If it is bad at that point, it is not a Snort problem. Furthermore, sometimes you seem to be getting payload only and other times you are getting full packets. What DAQ are you using in tap mode? What kind of tap or span do have feeding these packets to your Snort?
# I did build the DAQ lib as it is ,based on the bt it uses the DAQ. I m using daq 2.0.2 version. Please let me know if the DAQ needs a specific config to be built and the backtrace below. (gdb) bt #0 DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 #1 0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0) at snort.c:1821 #2 0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704 #3 0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW", pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at daq_pcap.c:361 #4 0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8, max_packets=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap-linux.c:4071 #5 0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap.c:497 #6 0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_pcap.c:379 #7 0x5666eb1b in daq_acquire_with_meta (module=0x566bba60 <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_mod_ops.c:133 #8 0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830 <PacketCallback>, user=0x0) at sfdaq.c:540 #9 0x565933bf in PacketLoop () at snort.c:3210 #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907 #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807 # snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv
Below is the DUMP of gdb on tap mode : Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $28 = 0x40 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $29 = 0x40 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $30 = 0x8 (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7494064 "\255L", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->iph->ip_proto $31 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $32 = 0x203a (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $33 = 0x8 (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->iph->ip_proto $34 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) p /x p->eh->ether_type $35 = 0x7475 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:701 701 switch(ntohs(p->eh->ether_type)) (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496064 "\255L", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) p /x p->eh->ether_type $36 = 0x8 (gdb) p /x p->iph->ip_proto $37 = 0x6 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650 650 { (gdb) c Continuing.I have the GDB dump below , with bt . I have turned off all offload settings # ethtool -k eth0 Offload parameters for eth0: rx-checksumming: off tx-checksumming: off scatter-gather: off tcp segmentation offload: off udp fragmentation offload: off generic segmentation offload: off Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 650 { (gdb) bt #0 DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650 #1 0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0) at snort.c:1821 #2 0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704 #3 0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW", pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost: 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at daq_pcap.c:361 #4 0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8, max_packets=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap-linux.c:4071 #5 0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0, callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at ./pcap.c:497 #6 0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_pcap.c:379 #7 0x5666eb1b in daq_acquire_with_meta (module=0x566bba60 <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at daq_mod_ops.c:133 #8 0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830 <PacketCallback>, user=0x0) at sfdaq.c:540 #9 0x565933bf in PacketLoop () at snort.c:3210 #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907 #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807 (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been added, yet.</p>\n</body></html>\n") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52, p=0x56c63300 <s_packet>) at decode.c:2586 2586 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p); (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650 650 { (gdb) c Continuing. Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650 650 { (gdb) c Continuing. c
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 04)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 05)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 06)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 07)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Aug 07)