[Snort-devel] Bug in spp_stream4.c (snort-1.8.1-RELEASE)

Paulo Alexandre Pinto Pires pappires at ...899...
Thu Oct 18 12:57:18 EDT 2001


Hello.


I found a condition where stream4_reassemble would not work: arbitrary
ports caused it not to assemble TCP streams in any port at all.

I tracked the problem down to stream4.c, where a variable was missing
initialization.  Attached is a patch with my changes to make it work.


System architecture: i386 (Pentium-III 700)

Operating system: Linux, kernel 2.0.36, libc5

Rules:
8<------------------------------------------------------------------------
    #snort config file to test ability to detect suspect content

    preprocessor frag2
    preprocessor stream4: timeout 60
    preprocessor stream4_reassemble: clientonly, ports 25 3128

    var MONITORED_CLIENTS [0/0]
    var MONITORED_SERVERS [0/0]
    var SERVER_PORT 80         


    alert tcp any any -> any any (  \
            flags: A+;                                                      \
	                                    \
            content: "something1";                                            \
            content: "otherstuff2";                                          \
            nocase;                                                         \
            
            msg: "something1+otherstuff2 detected";\
            
    )

    alert tcp any any -> any any (  \
            flags: A+;                                                      \
	                                    \
            content: "POST /cgi-bin/webmail.exe";                           \
            content: "=abuse%40tmp.com.br";                                 \
            nocase;                                                         \
            
            msg: "Detected sending webmail to abuse at ...899...";\
    )

    #eof snort.conf
------------------------------------------------------------------------>8

Command line used: snort -z est

Any Snort error messages: Empty "Ports: " list for stream4_reassemble.


-- 
        Paulo Alexandre Pinto Pires -- pappires at ...899...
        TMP Consultoria em Informatica S/C -- http://www.tmp.com.br
        Phone: +55-21-2556-3791
-------------- next part --------------
--- spp_stream4.c.orig	Wed Aug 15 02:50:11 2001
+++ spp_stream4.c	Thu Oct 18 17:07:22 2001
@@ -861,7 +861,7 @@
                 
             ports = mSplit(args, " ", 40, &num_ports, 0);
                         
-            while(j < num_ports)
+            for(j=0; j<num_ports; j++)
             {
                 port = ports[j];
                 
@@ -894,7 +894,6 @@
                     s4data.assemble_ports[513] = 1;
                 }
 
-                j++;
             }
         }
         else


More information about the Snort-devel mailing list