Home page logo

snort logo Snort mailing list archives

HTTP Inspect with only a GET request.
From: Shawn Lee <dashawn () gmail com>
Date: Tue, 21 May 2013 15:44:50 -0700

Sorry if I missed the post where this was already discussed. I was unable
to find it.

When I run snort across a 2 packet sample consisting of a GET and a HTTP
200 response Snort's http Inspect output is the following.
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          1
    HTTP Request Headers extracted:       1
    Total packets processed:              3

When I run it just with the GET
HTTP Inspect - encodings (Note: stream-reassembled packets included):
   POST methods:                         0
   GET methods:                          0
   HTTP Request Headers extracted:       0
   Total packets processed:              1

I also turned on debugging and traced through the code and I can't find a
way to turn an option on in order to tell snort to normalize across just a
GET request. Without this I believe the snort process will not fire on
uricontent if the response is lost due to packet loss, routing issues, or a
web server that doesn't respond.

Is there a way to get HTTP Inspect to normalize just a GET request without
a response so I can use http rules?


preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                             track_udp no, show_rebuilt_packets
preprocessor stream5_tcp: policy first

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 }


./snort -c /tmp/snort/snort.conf -r /tmp/snort/anon.pcap -l /tmp/ -k none

./snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 73)
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version:

Attachment: anon.pcap

Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]