Re: HTTP reassembly problem - Snort 2.9.6.1

[Mateusz Pigulski <m.pigulski () gmail com>]

Joel in my snort.conf I have:

preprocessor stream5_global: track_tcp yes, track_udp no
preprocessor stream5_tcp: policy linux, ports both all

I have also tested configuration with http inspects enable:

preprocessor http_inspect: global memcap 5000 iis_unicode_map
/usr/local/snort-2.9.6.0/etc/unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 50010
50007 }

but it also dosen't work.
Could You tell me if snort is able to consider sessions which were
established before snort has started working ??




2014-07-02 18:50 GMT+02:00 Mateusz Pigulski <m.pigulski () gmail com>:

> I will check it, I also suspect that my problem is connected with 3whs,
> tommorow I will give You more details.
>
>
> 2014-07-02 15:23 GMT+02:00 Joel Esler (jesler) <jesler () cisco com>:
>
>  Mateusz,
> >  I see you are doing an HTTP request over port 50007.  Do you have Snort
> > properly configured to examine HTTP packets on that port?
> >
> >  --
> > *Joel Esler*
> > Open Source Manager
> > Threat Intelligence Team Lead
> > Vulnerability Research Team
> >
> >   On Jun 26, 2014, at 8:45 AM, Mateusz Pigulski <m.pigulski () gmail com>
> > wrote:
> >
> >  Hi Joel, have You tried reproduced this issue??
> >
> >
> > 2014-06-23 8:56 GMT+02:00 Mateusz Pigulski <m.pigulski () gmail com>:
> >
> > >   Sure, everything You can find in attachments. During my test I send
> > > HTTP POST request via curl:
> > >
> > >  curl -i http://10.11.169.41:50007/kabira/kpsa/submitOrder -H
> > > "Content-Type: text/xml" --data-binary "@testreq.xml"
> > >
> > >  In attachment You can find xml file which I sent via curl.
> > >
> > >
> > > 2014-06-23 0:33 GMT+02:00 Joel Esler (jesler) <jesler () cisco com>:
> > >
> > >  Do you have packet captures and a configuration we can use to
> > > > reproduce the issue?
> > > >
> > > > --
> > > > Joel Esler
> > > > Sent from my iPhone
> > > >
> > > > On Jun 22, 2014, at 16:04, "Mateusz Pigulski" <m.pigulski () gmail com>
> > > > wrote:
> > > >
> > > >   Hello, anybody knows this issue ??
> > > >
> > > >
> > > > 2014-06-17 23:14 GMT+02:00 Mateusz Pigulski <m.pigulski () gmail com>:
> > > >
> > > > > Hi experts!!!
> > > > >
> > > > > I am new user in mailing list and also new in snort, so firstly I want
> > > > > say Hello!!.
> > > > > I have configured Snort 2.9.6.1 with daq 2.0.2 and pf_ring 5.6.1. I
> > > > > want use snort to capture HTTP POST which are forwarded to my system. I
> > > > > have problem with configuration the output to store the reassembled
> > > > > packets. When size of HTTP POST is larger then 1500, I can see in my
> > > > > unified2 file that every tcp segemnt is stored as event and packet, so if
> > > > > HTTP POST consist of 2 tcp segments I have 2 events and 2 packets, from my
> > > > > point of view would be better to have only one event and packet for
> > > > > reassembled packet. I have read this thread:
> > > > > http://seclists.org/snort/2012/q4/758, and 2 Years ago it was
> > > > > impossible, so my question is: is it possible to configure in snort 2.9.6.1
> > > > > output with unified2 to store reassembled packets ??
> > > > >
> > > > >  -------------
> > > > > BR
> > > > > Mateusz
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > ------------
> > > > Mateusz
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > HPCC Systems Open Source Big Data Platform from LexisNexis Risk
> > > > Solutions
> > > > Find What Matters Most in Your Big Data with HPCC Systems
> > > > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> > > > Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> > > > http://p.sf.net/sfu/hpccsystems
> > > >
> > > >  _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
> > >
> > >
> > > --
> > >
> > > ------------
> > > Mateusz
> >
> >
> >
> > --
> >
> > ------------
> > Mateusz
>
>
> --
>
> ------------
> Mateusz



-- 

------------
Mateusz

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!