[Snort-devel] Re: Bug in spp_stream4.c (snort-1.8.1-RELEASE)

Martin Roesch roesch at ...402...
Sun Oct 21 21:05:27 EDT 2001


This was fixed in CVS quite some time ago, check out the CVS version.

     -Marty

Paulo Alexandre Pinto Pires wrote:
> 
> Hello.
> 
> I found a condition where stream4_reassemble would not work: arbitrary
> ports caused it not to assemble TCP streams in any port at all.
> 
> I tracked the problem down to stream4.c, where a variable was missing
> initialization.  Attached is a patch with my changes to make it work.
> 
> System architecture: i386 (Pentium-III 700)
> 
> Operating system: Linux, kernel 2.0.36, libc5
> 
> Rules:
> 8<------------------------------------------------------------------------
>     #snort config file to test ability to detect suspect content
> 
>     preprocessor frag2
>     preprocessor stream4: timeout 60
>     preprocessor stream4_reassemble: clientonly, ports 25 3128
> 
>     var MONITORED_CLIENTS [0/0]
>     var MONITORED_SERVERS [0/0]
>     var SERVER_PORT 80
> 
>     alert tcp any any -> any any (  \
>             flags: A+;                                                      \
>                                             \
>             content: "something1";                                            \
>             content: "otherstuff2";                                          \
>             nocase;                                                         \
> 
>             msg: "something1+otherstuff2 detected";\
> 
>     )
> 
>     alert tcp any any -> any any (  \
>             flags: A+;                                                      \
>                                             \
>             content: "POST /cgi-bin/webmail.exe";                           \
>             content: "=abuse%40tmp.com.br";                                 \
>             nocase;                                                         \
> 
>             msg: "Detected sending webmail to abuse at ...899...";\
>     )
> 
>     #eof snort.conf
> ------------------------------------------------------------------------>8
> 
> Command line used: snort -z est
> 
> Any Snort error messages: Empty "Ports: " list for stream4_reassemble.
> 
> --
>         Paulo Alexandre Pinto Pires -- pappires at ...899...
>         TMP Consultoria em Informatica S/C -- http://www.tmp.com.br
>         Phone: +55-21-2556-3791
> 
>   ------------------------------------------------------------------------
> 
>    spp_stream4.diffName: spp_stream4.diff
>                    Type: Plain Text (text/plain)

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list