Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (http_inspect) UNKNOWN METHOD error on squid

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 04 Mar 2015 06:55:19 -0700
On Wed, 2015-03-04 at 12:17 +0000, Terry John wrote:

It’s difficult to sanitise the data for public viewing unfortunately.
But what I can say, from the squid logs, is that it is coming from a
fisheye server connecting to a code repository service providing
source code management. It connects successfully to port 443 of the
destination server.

 

The data comes as a burst of 3 or 4 packets in a second waits about 15
seconds then sends another burst of packets.

 

Sorry if it’s a bit vague

 


From: Al Lewis (allewi) [mailto:allewi () cisco com] 
Sent: 04 March 2015 11:22
To: Terry John; snort-users
Subject: RE: (http_inspect) UNKNOWN METHOD error on squid



 

Hello,

 

Can you provide a pcap of the traffic that is causing the alerts?

 

What this alert is telling you is that one of the http_methods used in
the packet is either not in your preprocessor config or
malformed/invalid.

 

 


Albert Lewis

QA Software Engineer

SOURCEfire, Inc. now part ofCisco

9780 Patuxent Woods Drive
Columbia, MD 21046 

Phone: (office) 443.430.7112

Email:allewi () cisco com 



 


From: Terry John
[mailto:Terry.John () completeautomotivesolutions co uk] 
Sent: Wednesday, March 04, 2015 5:52 AM
To: snort-users
Subject: [Snort-users] (http_inspect) UNKNOWN METHOD error on squid



 

I am trying to work out how to stop of thousands of false positives
caused by access to squid proxy on port 3128. Here is a typical error.

 

[119:31:1] (http_inspect) UNKNOWN METHOD [**]

[Classification: Unknown Traffic] [Priority: 3] <date>-<time>
<src_ip>:35360 -> <squid_server_ip>:3128

TCP TTL:128 TOS:0x0 ID:87051 IpLen:20 DgmLen:775 DF

***A**** Seq: 0x126F0768 Ack: 0x859E62D4 Win: 0x4980 TcpLen: 32

 

Here is what I think  is the relevant section of the pre-processor
declaration

 

preprocessor http_inspect_server: server default \

    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK
NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST
SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \

    allow_proxy_use \

    ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593
631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381
2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173
6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028
8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300
8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000
11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000
50002 51423 53331 55252 55555 56712 } \

 

I have a local rule to reduce the number of errors but I would rather
not have to do that

 

# This is to reduce the number of 'unknown method' http alerts

event_filter gen_id 119, sig_id 31, type limit, track by_src, count 1,
seconds 10

 

I feel that squid proxy is so common that there should be a standard
setting for this but at the moment I just can’t find it.

 

If I delete port 3128 from the list of ports then the rule is not
applied but I don’t think that is what we want.

 

Thanks

 

The Manheim group of companies within the UK comprises: Manheim Europe
Limited (registered number: 03183918), Manheim Auctions Limited
(registered number: 00448761), Manheim Retail Services Limited
(registered number: 02838588), Motors.co.uk Limited (registered
number: 05975777), Real Time Communications Limited (registered
number: 04277845) and Complete Automotive Solutions Limited
(registered number: 05302535). Each of these companies is registered
in England and Wales with the registered office address of Central
House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of
companies operates under various brand/trading names including Manheim
Inspection Services, Manheim Auctions, Manheim Direct, Manheim
De-fleet and Manheim Aftersales Solutions. 

V:0CF72C13B2AC

 



------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



Prove the method squid is passing from the pcap...that should tell us if
it is indeed not passing a method in the list (I run squid on a snort
box and well and have not seen this before).

James

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: