Snort mailing list archives

Re: snort3: problem with http_inspect

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Sun, 26 Feb 2017 00:19:38 +0100

On Sat, Feb 25, 2017 at 11:24 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:

Hello,

        I


think you need to uncomment http_inspect “remove the dashes from in front

of it”


the behavior of http_inspect I described was without any dashes, with the
default snort.lua from github.
I have tested whether the lua comment "--" makes any difference and it does
not - I mean dashes are treated as a comment.

-- http_inspect = { }
http_server = { }

Are you using the default lua files from github? Or maybe the few last
commits since
https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438
could have changed something?
Or maybe related to hyperscan, which I'm not using?

Marcin


It alerts for me.


ALLEWI-M-8257:snort3 allewi$ ./bin/snort -c etc/snort/marcin.lua -r
/tmp/TEST.pcap -Acmg -k none -q
02/25-16:54:57.819915 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP}
192.168.1.128:53687 -> 74.125.196.99:80
- - - stream_tcp[58]- - - - - - - - - - - - - - - - - - - - - - - - -
48 6F 73 74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65  Host: www.google
2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74  .com..User-Agent
3A 20 63 75 72 6C 2F 37 2E 34 33 2E 30 0D 0A 41  : curl/7.43.0..A
63 63 65 70 74 3A 20 2A 2F 2A                    ccept: */*
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ALLEWI-M-8257:snort3 allewi$ cat etc/snort/marcin.lua | grep alert
        alert tcp any any -> any 80 (msg:"test";
flow:to_server,established;http_uri; content:"/test"; sid:3000001;)
ALLEWI-M-8257:snort3 allewi$






Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com








On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak () gmail com> wrote:

Hi,

I have a problem with http_inspect,
https://github.com/snortadmin/snort3/commit/

a9f9bd38ced24da8196746074ef60a73d3bf0438


I make an HTTP request against the machine running snort/nfqueue:

# curl -s -m 1 http://192.168.17.30/test

and expect my sid:3000001 (see below) to be triggered, but only

sid:4000003

is triggered instead.
My question is what am I missing to trigger sid:3000001 with the new
http_inspect?

Now, when in /etc/snort/snort.lua I use
-- http_inspect = { }
http_server = { }

then all but sid:4000001 are triggered:

# u2spewfoo /var/log/snort/unified2.log.1488047835 | grep "sig id"
   sig id: 4000003    gen id: 1    revision: 0     classification: 0
   sig id: 3000002    gen id: 1    revision: 0     classification: 0
   sig id: 3000001    gen id: 1    revision: 0     classification: 0
   sig id: 4000002    gen id: 1    revision: 0     classification: 0

I see the unified2 log contains also (ExtraDataHdr) (ExtraData)
and only two events get parsed by py-idstools, which I normally use with
snort2:

# idstools-u2json /vagrant/unified2.log.1488047835 | grep signature
WARNING: No alert message map entries loaded.
WARNING: No classifications loaded.
ERROR: Unknown record type: 3
{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
"sensor-id": 0, "event-id": 1, "classification-id": 0, "sport-itype":
40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
"event-microsecond": 283661, "protocol": 6, "destination-ip":
"192.168.17.30", "blocked": 0, "signature-id": 4000003, "priority": 0,
"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip":

"192.168.17.20"}}

{"event": {"dport-icode": 80, "pad2": 0, "event-second": 1488047842,
"sensor-id": 0, "event-id": 2, "classification-id": 0, "sport-itype":
40062, "generator-id": 1, "signature-revision": 0, "mpls-label": 0,
"event-microsecond": 283661, "protocol": 255, "destination-ip":
"192.168.17.30", "blocked": 0, "signature-id": 3000002, "priority": 0,
"vlan-id": 0, "impact-flag": 0, "impact": 0, "source-ip":

"192.168.17.20"}}


Snort running as:

# xargs -0 < /proc/`pidof snort`/cmdline
/usr/sbin/snort -d -Q --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort
-c /etc/snort/snort.lua -A unified2 -v -X --plugin-path
/usr/lib64/snort_extra -k none

# iptables-save
*filter
:INPUT ACCEPT [5428:45165731]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4796:239048]
-A INPUT -i enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
-A OUTPUT -o enp0s8 -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT

The only difference compared to the github's lua files is in
/etc/snort/snort_defaults.lua

# diff snort3/lua/snort_defaults.lua /etc/snort/snort_defaults.lua
32a33,35

RULE_PATH = conf_dir .. '/rules'
ips = { include = RULE_PATH .. '/snort.rules' }


and the rules as follows:

# cat /etc/snort/rules/snort.rules
alert tcp any any -> any 80 (msg:"test"; flow:to_server,established;
http_uri; content:"/test"; sid:3000001;)
alert tcp any any -> any 80 (msg:"test"; http_uri; content:"/test";
sid:3000002;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
http_method; content: "GET"; sid:4000001;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";
http_method; sid:4000002;)
alert tcp any any -> any 80 (msg:"LOCAL http_method test for GET";

content:

"GET"; sid:4000003;)


Marcin
-----------------------------------------------------------

-------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort3: problem with http_inspect Marcin Dulak (Feb 25)
- Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 25)
  - Re: snort3: problem with http_inspect Marcin Dulak (Feb 25)
    - Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 25)
    - Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
    - Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
    - Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 26)
    - Re: snort3: problem with http_inspect Marcin Dulak (Feb 26)
    - Re: snort3: problem with http_inspect Al Lewis (allewi) (Feb 26)
- Re: snort3: problem with http_inspect Tom Peters (thopeter) (Feb 27)