http_inspect missing requests

[Felix Erlacher <felix.erlacher () uibk ac at>]

Hi all,

I have a pcap trace containing HTTP traffic. I began to wonder because
Snort did not trigger all alerts I was expecting. So I extracted the TCP
stream in question and looked at it more closely. My impression is that
for some reason the HTTP preprocessor is not parsing all GET requests.
If I load this trace in Wireshark, than "follow TCP stream", it shows me
10 GET requests.
If I use ngrep to manually inspect the trace, I count 10 GET requests as
well.

But the HTTP Inspect preprocessor of Snort tells me it found only 7 GET
requests?!
What could possibly be the problem?

Some peculiarities of the trace:
Heavy usage of HTTP/1.1 pipelining
While Wireshark and the Snort DAQ tell me they processed 13 packets,
HTTP inspect tells me it processed 17 packets.
This trace contains checksum errors and a tcp RST in the last packet.

I am using Snort 2.9.9.0 with snort.conf from tarball and "-k none" switch.

I would be happy to share the trace, but for privacy reasons I don't
want to do that on the list. In case someone wants to take a look, just
drop me a mail.

thanks and greetings
-- 
Felix Erlacher
ccs-labs.org/~erlacher

Key-ID:4EAC0959

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!