[Snort-devel] Re: Try This

Phil Wood cpw at ...86...
Fri Apr 5 16:35:10 EST 2002


Judy,

Boy, do I feel like an idiot.

It's a bug in all the little nippers that compare numbers that are
unsigned!  I'll fix some and send a patch to the snort developers.

With a patch for the tcp sequence number I see:

  [**] [1:0:0] seq match [**]
  04/03-22:00:03.090315 128.244.26.95:4705 -> 128.244.19.133:9100
  TCP TTL:126 TOS:0x0 ID:5750 IpLen:20 DgmLen:48 DF
  ******S* Seq: 0xEF00D327  Ack: 0x0  Win: 0x4000  TcpLen: 28
  TCP Options (4) => MSS: 1460 NOP NOP SackOK 

Without it, I saw the same as you, nada.

I've included two patches (for ack and win).  And, you should be able to use hex
notation like 0xEF00D327, cause I use strtoul to extract the number
and then htonl.  Opps, just looked at ack it has some extras one
of which is the nefarious 'x' notation.  Not the standard 0x notation.
Oh well, those snorters can have at it.  There actually feeling
pretty smug about a major speed up in pattern matching speed.
  

To patch:

  cd snortsource
  patch < /tmp/seq.patch
  patch < /tmp/ack.patch

  make

I'll include your tar file for the developers to test on.

I wonder if there are any more like that out there?
Actually, the seq source was a bit futz'd.  It was treating
the seq as an ACK_CHECK!

Nothing like turning over a rock and getting nothing much done
today.

Thanks alot!

On Fri, Apr 05, 2002 at 02:47:07PM -0500, Novak, Judy H. wrote:
> Phil,
> 
>    Your pcap files and rules worked fine.  Could this have anything to do
> with the native version of libpcap installed?  I installed snort-1.8.4 and
> the version of libpcap running on the linux (6.2? -  2.2.14-6.1.1smp kernel)
> supports tcpdump 3.4.  Anyway, I'm giving you the rules I used and the pcap
> capture of the record I was trying to get the rule to fire on (TCP sequence
> number either in hex or decimal).  Could a libpcap discrepancy be the
> problem?
> 
>    Thanks for all of your help.  Your program was great.
> 
>  <<tophil.tar>> 



-- 
Phil Wood, cpw at ...86...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: tophil.tar
Type: application/x-tar
Size: 10240 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020405/51d92d87/attachment.tar>
-------------- next part --------------
--- /tmp/sp_tcp_seq_check.c	Sat Apr  6 00:04:58 2002
+++ sp_tcp_seq_check.c	Sat Apr  6 00:26:01 2002
@@ -71,7 +71,7 @@
 
     /* allocate the data structure and attach it to the
        rule's data struct list */
-    otn->ds_list[PLUGIN_TCP_ACK_CHECK] = (TcpSeqCheckData *) calloc(sizeof(TcpAckCheckData), sizeof(char));
+    otn->ds_list[PLUGIN_TCP_SEQ_CHECK] = (TcpSeqCheckData *) calloc(sizeof(TcpSeqCheckData), sizeof(char));
 
     /* this is where the keyword arguments are processed and placed into the 
        rule option's data structure */
@@ -99,17 +99,14 @@
 void ParseTcpSeq(char *data, OptTreeNode *otn)
 {
     TcpSeqCheckData *ds_ptr;  /* data struct pointer */
+    char **ep = NULL;
 
     /* set the ds pointer to make it easier to reference the option's
        particular data struct */
-    ds_ptr = otn->ds_list[PLUGIN_TCP_ACK_CHECK];
+    ds_ptr = otn->ds_list[PLUGIN_TCP_SEQ_CHECK];
 
-    while(isspace((int)*data))
-    {
-        data++;
-    }
-
-    ds_ptr->tcp_seq = htonl(atoi(data));
+    ds_ptr->tcp_seq = strtoul(data, ep, 0);
+    ds_ptr->tcp_seq = htonl(ds_ptr->tcp_seq);
 
 #ifdef DEBUG
     printf("Seq set to %lX\n", ds_ptr->tcp_seq);
@@ -137,7 +134,7 @@
         return 0; /* if error appeared when tcp header was processed,
                * test fails automagically */
 
-    if(((TcpSeqCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_seq == 
+    if(((TcpSeqCheckData *)otn->ds_list[PLUGIN_TCP_SEQ_CHECK])->tcp_seq == 
        p->tcph->th_seq)
     {
         /* call the next function in the function list recursively */
-------------- next part --------------
--- /tmp/sp_tcp_ack_check.c	Sat Apr  6 00:05:24 2002
+++ sp_tcp_ack_check.c	Sat Apr  6 00:25:46 2002
@@ -99,17 +99,14 @@
 void ParseTcpAck(char *data, OptTreeNode *otn)
 {
     TcpAckCheckData *ds_ptr;  /* data struct pointer */
+    char **ep = NULL;
 
     /* set the ds pointer to make it easier to reference the option's
        particular data struct */
     ds_ptr = otn->ds_list[PLUGIN_TCP_ACK_CHECK];
 
-    while(isspace((int)*data))
-    {
-        data++;
-    }
-
-    ds_ptr->tcp_ack = htonl(atoi(data));
+    ds_ptr->tcp_ack = strtoul(data, ep, 0);
+    ds_ptr->tcp_ack = htonl(ds_ptr->tcp_ack);
 
 #ifdef DEBUG
     printf("Ack set to %lX\n", ds_ptr->tcp_ack);


More information about the Snort-devel mailing list