Snort mailing list archives
Re: snort3: problem with http_inspect
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Sun, 26 Feb 2017 00:19:38 +0100
On Sat, Feb 25, 2017 at 11:24 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
Hello, I
think you need to uncomment http_inspect “remove the dashes from in front
of it”
the behavior of http_inspect I described was without any dashes, with the default snort.lua from github. I have tested whether the lua comment "--" makes any difference and it does not - I mean dashes are treated as a comment. -- http_inspect = { } http_server = { } Are you using the default lua files from github? Or maybe the few last commits since https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438 could have changed something? Or maybe related to hyperscan, which I'm not using? Marcin
It alerts for me. ALLEWI-M-8257:snort3 allewi$ ./bin/snort -c etc/snort/marcin.lua -r /tmp/TEST.pcap -Acmg -k none -q 02/25-16:54:57.819915 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP} 192.168.1.128:53687 -> 74.125.196.99:80 - - - stream_tcp[58]- - - - - - - - - - - - - - - - - - - - - - - - - 48 6F 73 74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65 Host: www.google 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 .com..User-Agent 3A 20 63 75 72 6C 2F 37 2E 34 33 2E 30 0D 0A 41 : curl/7.43.0..A 63 63 65 70 74 3A 20 2A 2F 2A ccept: */* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ALLEWI-M-8257:snort3 allewi$ cat etc/snort/marcin.lua | grep alert alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;http_uri; content:"/test"; sid:3000001;) ALLEWI-M-8257:snort3 allewi$ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak () gmail com> wrote:Hi, I have a problem with http_inspect, https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438I make an HTTP request against the machine running snort/nfqueue: # curl -s -m 1 http://192.168.17.30/test and expect my sid:3000001 (see below) to be triggered, but onlysid:4000003is triggered instead. My question is what am I missing to trigger sid:3000001 with the new http_inspect? Now, when in /etc/snort/snort.lua I use -- http_inspect = { } http_server = { } then all but sid:4000001 are triggered: # u2spewfoo /var/log/snort/unified2.log.1488047835 | grep "sig id" sig id: 4000003 gen id: 1 revision: 0 classification: 0 sig id: 3000002 gen id: 1 revision: 0 classification: 0 sig id: 3000001 gen id: 1 revision: 0 classification: 0 sig id: 4000002 gen id: 1 revision: 0 classification: 0 I see the unified2 log contains also (ExtraDataHdr) (ExtraData) and only two events get parsed by py-idstools, which I normally use with snort2: # idstools-u2json /vagrant/unified2.log.1488047835 | grep signature WARNING: No alert message map entries loaded. WARNING: No classifications loaded. ERROR: Unknown record type: 3 {"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842, "sensor-id": 0, "event-id": 1, "classification-id": 0, "sport-itype": 40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0, "event-microsecond": 283661, "protocol": 6, "destination-ip": "192.168.17.30", "blocked": 0, "signature-id": 4000003, "priority": 0, "vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip":"192.168.17.20"}}{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842, "sensor-id": 0, "event-id": 2, "classification-id": 0, "sport-itype": 40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0, "event-microsecond": 283661, "protocol": 255, "destination-ip": "192.168.17.30", "blocked": 0, "signature-id": 3000002, "priority": 0, "vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip":"192.168.17.20"}}Snort running as: # xargs -0 < /proc/`pidof snort`/cmdline /usr/sbin/snort -d -Q --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.lua -A unified2 -v -X --plugin-path /usr/lib64/snort_extra -k none # iptables-save *filter :INPUT ACCEPT [5428:45165731] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4796:239048] -A INPUT -i enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass -A OUTPUT -o enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass COMMIT The only difference compared to the github's lua files is in /etc/snort/snort_defaults.lua # diff snort3/lua/snort_defaults.lua /etc/snort/snort_defaults.lua 32a33,35RULE_PATH = conf_dir .. '/rules' ips = { include = RULE_PATH .. '/snort.rules' }and the rules as follows: # cat /etc/snort/rules/snort.rules alert tcp any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; sid:3000001;) alert tcp any any -> any 80 (msg:"test"; http_uri; content:"/test"; sid:3000002;) alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; http_method; content: "GET"; sid:4000001;) alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET"; http_method; sid:4000002;) alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";content:"GET"; sid:4000003;) Marcin ------------------------------------------------------------------------------Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3: problem with http_inspect Marcin Dulak (Feb 25)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 25)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 25)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 25)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 26)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 26)
- Re: snort3: problem with http_inspect Marcin Dulak (Feb 25)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 25)