Re: HTTP INSPECT fails on Mirror Port

[Anand Raj Manickam <anandrm () gmail com>]

On Wed, Aug 6, 2014 at 12:48 AM, Russ Combs (rucombs) <rucombs () cisco com> wrote:
> ________________________________________
> From: Anand Raj Manickam [anandrm () gmail com]
> Sent: Tuesday, August 05, 2014 4:05 AM
> To: Russ Combs (rucombs)
> Cc: James Lay; snort-devel () lists sourceforge net; snort-users () lists sourceforge net
> Subject: Re: HTTP INSPECT fails on Mirror Port
>
> > * You have something weird going on.  Now 6 are are eth:ip4:tcp and 4 are eth:other.  Previously they were 
> > eth:ip4:other.
> >
> > * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can 
> > catch it and see what's up.  You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() 
> > wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.
>
> I have the gdb breaks set , i see that in Live packet capture mode ,
> there appears to be a internal fragmentation of the packet though the
> MTU is 1500, the max size of packet in this capture is only 556.
> If you look at the pkt structs data , i see Characters  . But when i
> played with pcap , i never saw character data. ( this is the reason
> why pcap works )
>
> * The problem does not appear to be with the length.  Your 556 byte server response is the actual, full size:
>
> eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556
>
> * You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer 
> protocol is.  That is why decode is failing in these functions.
>
> * For example, in the eth function you can execute this command:
>
> p /x p->eh->ether_type
>
> * And in the ip4 function you can execute this command:
>
> p /x proto

Sorry .. i forgot to mention , that i did see random values on
ether_type (0x40,0x203a etc) , where as when i ran with the pcap , the
ptype was always 0x8 .
Not sure why the packets are split ..

Below is the DUMP of gdb on tap mode :

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$28 = 0x40
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$29 = 0x40
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$30 = 0x8
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7494064 "\255L", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb)  p /x p->iph->ip_proto
$31 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$32 = 0x203a
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$33 = 0x8
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb)  p /x p->iph->ip_proto
$34 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) p /x p->eh->ether_type
$35 = 0x7475
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:701
701    switch(ntohs(p->eh->ether_type))
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496064 "\255L", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) p /x p->eh->ether_type
$36 = 0x8
(gdb)  p /x p->iph->ip_proto
$37 = 0x6
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
650 {
(gdb) c
Continuing.




> I have the GDB dump below , with bt .
>
> I have turned off all offload settings
>
> # ethtool -k eth0
> Offload parameters for eth0:
> rx-checksumming: off
> tx-checksumming: off
> scatter-gather: off
> tcp segmentation offload: off
> udp fragmentation offload: off
> generic segmentation offload: off
>
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52,
> p=0x56c63300 <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
> 650 {
> (gdb) bt
> #0  DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620,
> pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
> #1  0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0)
>     at snort.c:1821
> #2  0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620,
> pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704
> #3  0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW",
> pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n")
>     at daq_pcap.c:361
> #4  0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8,
> max_packets=0, callback=0x5666f400 <pcap_process_loop>,
> user=0x57628770 "(\211bW") at ./pcap-linux.c:4071
> #5  0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0,
> callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at
> ./pcap.c:497
> #6  0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0,
> callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at
> daq_pcap.c:379
> #7  0x5666eb1b in daq_acquire_with_meta (module=0x566bba60
> <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830
> <PacketCallback>, metaback=0x0, user=0x0)
>     at daq_mod_ops.c:133
> #8  0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830
> <PacketCallback>, user=0x0) at sfdaq.c:540
> #9  0x565933bf in PacketLoop () at snort.c:3210
> #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907
> #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
> <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
> added, yet.</p>\n</body></html>\n") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52,
> p=0x56c63300 <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52,
> p=0x56c63300 <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300
> <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52,
> p=0x56c63300 <s_packet>) at decode.c:2586
> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
>
> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
> pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650
> 650 {
> (gdb) c
> Continuing.
> c

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!