[Snort-devel] Stream 4 observations
roesch at ...402...
Thu Oct 11 09:34:06 EDT 2001
*Excellent* catch, that explains a great deal of odd behavior that
I was intermittently hearing about and having a hard time
understanding. That was indeed a bug, and a biggie at that. Patched
and committed (shortly)...
Joe McAlerney wrote:
> Hello all,
> My coworker, Gary Grim, discovered an oddity in stream 4 plugin that may
> or may not be a bug. That is to say, it appears to be but may be the
> intended behavior for some reason. Basically, alerts generated from a
> stream 4 session do not have corresponding log entries. This accounts
> for broken links in SnortSnarf and I imagine other log parsers. If
> someone can shed some light on this, that would be great (Marty?).
> Otherwise, consider this message a request for spp_stream4.c to be
> patched with the attached file.
> Gary wrote up the details:
> The gist of the issue is that in the stream4 code, the packet structure
> read from the wire, (Packet *) p, is replicated/modified and stored in a
> structure (Packet *) stream_pkt, which subsequently is passed to the
> alert/log engine, assuming proper conditions are met. Since stream_pkt
> is defined as external, its allocation persists, regardless of scope,
> and therefore subsequent uses of the structure, should initialize its
> members. Unfortunately, in the case of the packet_flags member, the |=
> operator is not an initializer. So, the first packet which flips the
> "PKT_LOGGED" bit, turns off packet logging for all subsequent packets
> that use this structure. Does this makes sense?
> -Joe M.
> | Joe McAlerney joey at ...63... |
> | Silicon Defense - Technical Support for Snort |
> | http://www.silicondefense.com/ |
> +-- --+
> --- spp_stream4.c.old Tue Oct 9 14:06:28 2001
> +++ spp_stream4.c.new Tue Oct 9 14:06:09 2001
> @@ -2768,7 +2768,7 @@
> stream_pkt->tcp_option_count = 0;
> stream_pkt->tcp_lastopt_bad = 0;
> - stream_pkt->packet_flags |= PKT_REBUILT_STREAM;
> + stream_pkt->packet_flags = p->packet_flags | PKT_REBUILT_STREAM;
> DebugMessage(DEBUG_STREAM,"Built packet with %d byte payload:\n",
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel