[Snort-devel] Stream 4 observations

Joe McAlerney joey at ...60...
Tue Oct 9 17:12:15 EDT 2001


Hello all,

My coworker, Gary Grim, discovered an oddity in stream 4 plugin that may
or may not be a bug.  That is to say, it appears to be but may be the
intended behavior for some reason.  Basically, alerts generated from a
stream 4 session do not have corresponding log entries.  This accounts
for broken links in SnortSnarf and I imagine other log parsers.  If
someone can shed some light on this, that would be great (Marty?). 
Otherwise, consider this message a request for spp_stream4.c to be
patched with the attached file.

Gary wrote up the details:

The gist of the issue is that in the stream4 code, the packet structure
read from the wire, (Packet *) p, is replicated/modified and stored in a
structure (Packet *) stream_pkt, which subsequently is passed to the
alert/log engine, assuming proper conditions are met.  Since stream_pkt
is defined as external, its allocation persists, regardless of scope,
and therefore subsequent uses of the structure, should initialize its
members.  Unfortunately, in the case of the packet_flags member, the |=
operator is not an initializer.  So, the first packet which flips the
"PKT_LOGGED" bit, turns off packet logging for all subsequent packets
that use this structure.  Does this makes sense?

Thanks,

-Joe M.

-- 
|   Joe McAlerney     joey at ...63...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+
-------------- next part --------------
--- spp_stream4.c.old	Tue Oct  9 14:06:28 2001
+++ spp_stream4.c.new	Tue Oct  9 14:06:09 2001
@@ -2768,7 +2768,7 @@
 
     stream_pkt->tcp_option_count = 0;
     stream_pkt->tcp_lastopt_bad = 0;
-    stream_pkt->packet_flags |= PKT_REBUILT_STREAM;
+    stream_pkt->packet_flags = p->packet_flags | PKT_REBUILT_STREAM;
 
     DebugMessage(DEBUG_STREAM,"Built packet with %d byte payload:\n", 
             stream_pkt->dsize);


More information about the Snort-devel mailing list