Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP INSPECT fails on Mirror Port

From: Anand Raj Manickam <anandrm () gmail com>
Date: Wed, 6 Aug 2014 22:26:18 +0530
On Wed, Aug 6, 2014 at 10:04 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:


________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Wednesday, August 06, 2014 12:17 PM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject: Re: HTTP INSPECT fails on Mirror Port

On Wed, Aug 6, 2014 at 9:28 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote:


________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Wednesday, August 06, 2014 5:47 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject: Re: HTTP INSPECT fails on Mirror Port

On Wed, Aug 6, 2014 at 12:48 AM, Russ Combs (rucombs) <rucombs () cisco com> wrote:


________________________________________
From: Anand Raj Manickam [anandrm () gmail com]
Sent: Tuesday, August 05, 2014 4:05 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject: Re: HTTP INSPECT fails on Mirror Port


* You have something weird going on.  Now 6 are are eth:ip4:tcp and 4 are eth:other.  Previously they were 
eth:ip4:other.

* At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can 
catch it and see what's up.  You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() 
wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.


I have the gdb breaks set , i see that in Live packet capture mode ,
there appears to be a internal fragmentation of the packet though the
MTU is 1500, the max size of packet in this capture is only 556.
If you look at the pkt structs data , i see Characters  . But when i
played with pcap , i never saw character data. ( this is the reason
why pcap works )

* The problem does not appear to be with the length.  Your 556 byte server response is the actual, full size:

eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556

* You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer 
protocol is.  That is why decode is failing in these functions.

* For example, in the eth function you can execute this command:

p /x p->eh->ether_type

* And in the ip4 function you can execute this command:

p /x proto


Sorry .. i forgot to mention , that i did see random values on
ether_type (0x40,0x203a etc) , where as when i ran with the pcap , the
ptype was always 0x8 .
Not sure why the packets are split ..

* OK, we are getting closer.  Please break on the pc.other++ lines only.  Those are where the packets stop getting 
decoded because of an unrecognized type.

* The values you are printing are in network byte order, so the eth 0x80 is actually 0x0800 which indicates IP.  The 
IP 0x6 is TCP.  The only other value your pcap has is eth 0x0806 which indicates ARP.  The rest of the values below 
are most likely indicative of the problem you have.

* Why do you say "the packets are split"?  Do the lengths not correspond to the packets in your pcap?

# The reason why i say packets split, if you have closer look at the
DecodeEthPkt breakpoints below ,
eg: Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
 pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701
 701    switch(ntohs(p->eh->ether_type))
 (gdb) p /x p->eh->ether_type
 $32 = 0x203a

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
 pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
 added, yet.</p>\n</body></html>\n") at decode.c:701
 701    switch(ntohs(p->eh->ether_type))
 (gdb) p /x p->eh->ether_type
 $35 = 0x7475

I do not understand why a 556 byte packet needs to be in two passes,
Where as when i played it with pcap i never saw a decode like this .
The 'pkt' ptrs where always "", i never saw any characters in them .

* Clearly what Snort thinks is the beginning of a packet is actually the middle.  DecodeEthPkt() is the very 
beginning of processing the raw packet data coming up from the DAQ.  If it is bad at that point, it is not a Snort 
problem.  Furthermore, sometimes you seem to be getting payload only and other times you are getting full packets.  
What DAQ are you using in tap mode?  What kind of tap or span do have feeding these packets to your Snort?


# I did build the DAQ lib as it is ,based on the bt it uses the DAQ. I
m using daq 2.0.2 version.
Please let me know if the DAQ needs a specific config to be built and
the backtrace below.

   (gdb) bt
  #0  DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620,
        pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
        192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
   #1  0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>,
     pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
    192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0)
        at snort.c:1821
    #2  0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620,
        pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
       192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704
    #3  0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW",
        pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
        192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n")
         at daq_pcap.c:361
    #4  0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8,
       max_packets=0, callback=0x5666f400 <pcap_process_loop>,
       user=0x57628770 "(\211bW") at ./pcap-linux.c:4071
    #5  0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0,
      callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at
      ./pcap.c:497
    #6  0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0,
     callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at
     daq_pcap.c:379
    #7  0x5666eb1b in daq_acquire_with_meta (module=0x566bba60
     <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830
     <PacketCallback>, metaback=0x0, user=0x0)
        at daq_mod_ops.c:133
    #8  0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830
     <PacketCallback>, user=0x0) at sfdaq.c:540
     #9  0x565933bf in PacketLoop () at snort.c:3210
     #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907
     #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807

# snort --daq-list
   Available DAQ modules:
   pcap(v3): readback live multi unpriv
   nfq(v7): live inline multi
   ipfw(v3): live inline multi unpriv
   dump(v2): readback live inline multi unpriv







Below is the DUMP of gdb on tap mode :

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$28 = 0x40
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$29 = 0x40
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$30 = 0x8
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7494064 "\255L", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb)  p /x p->iph->ip_proto
$31 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$32 = 0x203a
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$33 = 0x8
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb)  p /x p->iph->ip_proto
$34 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$35 = 0x7475
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496064 "\255L", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) p /x p->eh->ether_type
$36 = 0x8
(gdb)  p /x p->iph->ip_proto
$37 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
650 {
(gdb) c
Continuing.






I have the GDB dump below , with bt .

I have turned off all offload settings

# ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: off


Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
650 {
(gdb) bt
#0  DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620,
pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
#1  0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0)
    at snort.c:1821
#2  0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620,
pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704
#3  0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW",
pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n")
    at daq_pcap.c:361
#4  0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8,
max_packets=0, callback=0x5666f400 <pcap_process_loop>,
user=0x57628770 "(\211bW") at ./pcap-linux.c:4071
#5  0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0,
callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at
./pcap.c:497
#6  0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0,
callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at
daq_pcap.c:379
#7  0x5666eb1b in daq_acquire_with_meta (module=0x566bba60
<pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830
<PacketCallback>, metaback=0x0, user=0x0)
    at daq_mod_ops.c:133
#8  0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830
<PacketCallback>, user=0x0) at sfdaq.c:540
#9  0x565933bf in PacketLoop () at snort.c:3210
#10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907
#11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650
650 {
(gdb) c
Continuing.
c






------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: