Snort mailing list archives
Re: enable_xff with Snort
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Sun, 22 Sep 2013 22:59:48 +0530
Just in case if you require a PCAP and my (Snort) test.conf which I am
using for testing.
This is how I am running the PCAP
$ snort -r xforward.pcap -c /etc/test.conf -l /tmp/log/
and this is what is getting logged, Where I cannot see the ExtraData.
$ u2spewfoo /tmp/log/snort.alert.log.1379870179
(Event)
sensor id: 0 event id: 1 event second: 1379869570 event
microsecond: 267132
sig id: 2013504 gen id: 1 revision: 3 classification: 1
priority: 3 ip source: 10.0.2.15 ip destination: 174.36.85.72
src port: 34560 dest port: 80 protocol: 6 impact_flag: 0
blocked: 0
Packet
sensor id: 0 event id: 1 event second: 1379869570
packet second: 1379869570 packet microsecond: 267132
linktype: 1 packet_length: 274
[ 0] 52 54 00 12 35 02 08 00 27 EE 1B A6 08 00 45 00 RT..5...'.....E.
[ 16] 01 04 34 1E 40 00 40 06 F6 5A 0A 00 02 0F AE 24 ..4.@.@..Z.....$
[ 32] 55 48 87 00 00 50 86 55 CF 55 67 E7 BE 02 50 18 UH...P.U.Ug...P.
[ 48] 39 08 B7 38 00 00 47 45 54 20 2F 20 48 54 54 50 9..8..GET / HTTP
[ 64] 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 /1.1..User-Agent
[ 80] 3A 20 2E 44 65 62 69 61 6E 2E 41 50 54 2D 48 54 : .Debian.APT-HT
[ 96] 54 50 2F 31 2E 33 2E 28 30 2E 39 2E 37 2E 37 75 TP/1.3.(0.9.7.7u
[ 112] 62 75 6E 74 75 34 29 0D 0A 41 63 63 65 70 74 3A buntu4)..Accept:
[ 128] 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 35 2E 74 65 */*..Host: 5.te
[ 144] 73 74 2E 63 6F 6D 0D 0A 56 69 61 3A 20 31 2E 31 st.com..Via: 1.1
[ 160] 20 6C 6F 63 61 6C 68 6F 73 74 20 28 73 71 75 69 localhost (squi
[ 176] 64 2F 33 2E 31 2E 32 30 29 0D 0A 58 2D 46 6F 72 d/3.1.20)..X-For
[ 192] 77 61 72 64 65 64 2D 46 6F 72 3A 20 31 39 32 2E warded-For: 192.
[ 208] 31 36 38 2E 31 2E 32 0D 0A 43 61 63 68 65 2D 43 168.1.2..Cache-C
[ 224] 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D ontrol: max-age=
[ 240] 32 35 39 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 259200..Connecti
[ 256] 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A on: keep-alive..
[ 272] 0D 0A ..
I am on snort version
,,_ -*> Snort! <*-
o" )~ Version 2.9.5.3 GRE (Build 132)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.7
On Sun, Sep 22, 2013 at 4:00 PM, Balasubramaniam Natarajan <
bala150985 () gmail com> wrote:
Hi I have been trying to configure snort's http_inspect for sometime now with out any success.
-- Regards, Balasubramaniam Natarajan www.blog.etutorshop.com
Attachment:
xforward.pcap
Description:
Attachment:
test.conf
Description:
------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- enable_xff with Snort Balasubramaniam Natarajan (Sep 22)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 22)
- Re: enable_xff with Snort Bhagya Bantwal (Sep 23)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 23)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 29)