snort3: problem with http_inspect

[Marcin Dulak <marcin.dulak () gmail com>]

Hi,

I have a problem with http_inspect,
https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438

I make an HTTP request against the machine running snort/nfqueue:

# curl -s -m 1 http://192.168.17.30/test

and expect my sid:3000001 (see below) to be triggered, but only sid:4000003
is triggered instead.
My question is what am I missing to trigger sid:3000001 with the new
http_inspect?

Now, when in /etc/snort/snort.lua I use
-- http_inspect = { }
http_server = { }

then all but sid:4000001 are triggered:

# u2spewfoo /var/log/snort/unified2.log.1488047835 | grep "sig id"
    sig id: 4000003    gen id: 1    revision: 0     classification: 0
    sig id: 3000002    gen id: 1    revision: 0     classification: 0
    sig id: 3000001    gen id: 1    revision: 0     classification: 0
    sig id: 4000002    gen id: 1    revision: 0     classification: 0

I see the unified2 log contains also (ExtraDataHdr) (ExtraData)
and only two events get parsed by py-idstools, which I normally use with
snort2:

# idstools-u2json /vagrant/unified2.log.1488047835 | grep signature
WARNING: No alert message map entries loaded.
WARNING: No classifications loaded.
ERROR: Unknown record type: 3
{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
"sensor-id": 0, "event-id": 1, "classification-id": 0, "sport-itype":
40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
"event-microsecond": 283661, "protocol": 6, "destination-ip":
"192.168.17.30", "blocked": 0, "signature-id": 4000003, "priority": 0,
"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip": "192.168.17.20"}}
{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
"sensor-id": 0, "event-id": 2, "classification-id": 0, "sport-itype":
40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
"event-microsecond": 283661, "protocol": 255, "destination-ip":
"192.168.17.30", "blocked": 0, "signature-id": 3000002, "priority": 0,
"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip": "192.168.17.20"}}

Snort running as:

# xargs -0 < /proc/`pidof snort`/cmdline
/usr/sbin/snort -d -Q --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort
-c /etc/snort/snort.lua -A unified2 -v -X --plugin-path
/usr/lib64/snort_extra -k none

# iptables-save
*filter
:INPUT ACCEPT [5428:45165731]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4796:239048]
-A INPUT -i enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
-A OUTPUT -o enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT

The only difference compared to the github's lua files is in
/etc/snort/snort_defaults.lua

# diff snort3/lua/snort_defaults.lua /etc/snort/snort_defaults.lua
32a33,35
> RULE_PATH = conf_dir .. '/rules'
> ips = { include = RULE_PATH .. '/snort.rules' }

and the rules as follows:

# cat /etc/snort/rules/snort.rules
alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;
http_uri; content:"/test"; sid:3000001;)
alert tcp any any -> any 80 (msg:"test"; http_uri; content:"/test";
sid:3000002;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
http_method; content: "GET"; sid:4000001;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
http_method; sid:4000002;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; content:
"GET"; sid:4000003;)


Marcin
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!