HTTP Inspect with only a GET request.

[Shawn Lee <dashawn () gmail com>]

Sorry if I missed the post where this was already discussed. I was unable
to find it.

When I run snort across a 2 packet sample consisting of a GET and a HTTP
200 response Snort's http Inspect output is the following.
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          1
    HTTP Request Headers extracted:       1
...
    Total packets processed:              3

When I run it just with the GET
HTTP Inspect - encodings (Note: stream-reassembled packets included):
   POST methods:                         0
   GET methods:                          0
   HTTP Request Headers extracted:       0
...
   Total packets processed:              1

I also turned on debugging and traced through the code and I can't find a
way to turn an option on in order to tell snort to normalize across just a
GET request. Without this I believe the snort process will not fire on
uricontent if the response is lost due to packet loss, routing issues, or a
web server that doesn't respond.

Is there a way to get HTTP Inspect to normalize just a GET request without
a response so I can use http rules?

snort.conf

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                             track_udp no, show_rebuilt_packets
preprocessor stream5_tcp: policy first

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 }


Cmd

./snort -c /tmp/snort/snort.conf -r /tmp/snort/anon.pcap -l /tmp/ -k none


./snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4.6 GRE (Build 73)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4

Attachment: anon.pcap
Description:

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!