[Snort-devel] Stream 4 observations

Martin Roesch roesch at ...402...
Thu Oct 11 09:34:06 EDT 2001


Hi Joe,
     *Excellent* catch, that explains a great deal of odd behavior that
I was intermittently hearing about and having a hard time
understanding.  That was indeed a bug, and a biggie at that.  Patched
and committed (shortly)...

     -Marty


Joe McAlerney wrote:
> 
> Hello all,
> 
> My coworker, Gary Grim, discovered an oddity in stream 4 plugin that may
> or may not be a bug.  That is to say, it appears to be but may be the
> intended behavior for some reason.  Basically, alerts generated from a
> stream 4 session do not have corresponding log entries.  This accounts
> for broken links in SnortSnarf and I imagine other log parsers.  If
> someone can shed some light on this, that would be great (Marty?).
> Otherwise, consider this message a request for spp_stream4.c to be
> patched with the attached file.
> 
> Gary wrote up the details:
> 
> The gist of the issue is that in the stream4 code, the packet structure
> read from the wire, (Packet *) p, is replicated/modified and stored in a
> structure (Packet *) stream_pkt, which subsequently is passed to the
> alert/log engine, assuming proper conditions are met.  Since stream_pkt
> is defined as external, its allocation persists, regardless of scope,
> and therefore subsequent uses of the structure, should initialize its
> members.  Unfortunately, in the case of the packet_flags member, the |=
> operator is not an initializer.  So, the first packet which flips the
> "PKT_LOGGED" bit, turns off packet logging for all subsequent packets
> that use this structure.  Does this makes sense?
> 
> Thanks,
> 
> -Joe M.
> 
> --
> |   Joe McAlerney     joey at ...63...   |
> | Silicon Defense - Technical Support for Snort |
> |       http://www.silicondefense.com/          |
> +--                                           --+
> 
>   ------------------------------------------------------------------------
> --- spp_stream4.c.old   Tue Oct  9 14:06:28 2001
> +++ spp_stream4.c.new   Tue Oct  9 14:06:09 2001
> @@ -2768,7 +2768,7 @@
> 
>      stream_pkt->tcp_option_count = 0;
>      stream_pkt->tcp_lastopt_bad = 0;
> -    stream_pkt->packet_flags |= PKT_REBUILT_STREAM;
> +    stream_pkt->packet_flags = p->packet_flags | PKT_REBUILT_STREAM;
> 
>      DebugMessage(DEBUG_STREAM,"Built packet with %d byte payload:\n",
>              stream_pkt->dsize);

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list