[Snort-devel] Resp/React Firing Problem/Bug

MASM mrclst at ...1424...
Fri Jun 21 03:23:03 EDT 2002


Hi again,

First of all, thank you for the answer.
I'm sorry if I insist, I agree with you when you say that the response
should be on the OTN, but what I see on the code is:
In rules.h the definition of proto_node on OTN struct is:

    struct _RuleTreeNode *proto_node; /* ptr to head part... */

And in rules.c the definition of function AddRspFuncToList:

void AddRspFuncToList(int (*func) (Packet *, struct _RspFpList *),
RuleTreeNode * rtn, void *params)
{
    RspFpList *idx;     /* index pointer */

#ifdef DEBUG
    printf("Adding response to list\n");
#endif

    /* set the index pointer to the start of this OTN's function list */
    idx = rtn->rsp_func;

    /* if there are no nodes on the function list... */
    if(idx == NULL)
    {
        /* calloc the list head */
        rtn->rsp_func = (RspFpList *) calloc(sizeof(RspFpList),
sizeof(char));

        if(rtn->rsp_func == NULL)
        {
            FatalError("ERROR => AddRspFuncToList new node calloc failed:
%s\n", strerror(errno));
        }
        /* set the head function */
        rtn->rsp_func->ResponseFunc = func;
        rtn->rsp_func->params = params;
    }
    else
    {
        /* walk to the end of the list */
        while(idx->next != NULL)
        {
            idx = idx->next;
        }

        /* allocate a new node on the end of the list */
        idx->next = (RspFpList *) calloc(sizeof(RspFpList), sizeof(char));

        if(idx->next == NULL)
        {
            FatalError("ERROR => AddRspFuncToList new node calloc failed:
%s\n", strerror(errno));
        }
        /* link the function to the new node */
        idx->next->ResponseFunc = func;
        idx->next->params = params;

#ifdef DEBUG
        printf("Set ResponseFunc to %p\n", func);
#endif
    }
}

And this function has a comment inconsistent with the definition (OTN
instead of RTN):
/***************************************************************************
*
 *
 * Function: AddRspFuncToList(int (*func)(), OptTreeNode *)
 *
 * Purpose: Adds Response function to OTN
 *
 * Arguments: (*func)() => function pointer to the response module
 *            otn =>  pointer to the current OptTreeNode
 *
 * Returns: void function
 *

***************************************************************************/

I'm almost certain that I'm missing something here, possibly I am not
understanding the code but I would like to ... Can someone
explain....Please!

----- Original Message -----
From: "Jeff Nathan" <jeff at ...835...>
To: "MASM" <mrclst at ...1424...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Thursday, June 20, 2002 9:58 PM
Subject: Re: [Snort-devel] Resp/React Firing Problem/Bug


> MASM wrote:
> >
> > Hi,
> >
> > I'm doing some tests with the 1.8.6 snort version (the stable one) with
> > FlexResp (that needs some testing, I know).
> > I wrote a rule (in local.rules) similar to one of the default except on
the
> > content string and with the resp:rst_all keyword:
> >
> > alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET roote login";
> > content:"login\: roote"; flags: A+; classtype:suspicious-login;
sid:719000;
> > rev:2; resp:rst_all;)
> >
> > What happened was that after I do 'login: roote' the connection is
dropped
> > right after the Login incorrect message. But the same happens if I do
> > 'login:
> > xpto', or anything else that causes the match of the default rule:
> >
> > alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login
incorrect";
> > content:"Login incorrect"; flags:A+; reference:arachnids,127;
> > classtype:bad-unknown; sid:718;  rev:5;)
> >
> > After enabling debug, analysing it and some digging on the code I found
out
> > that the Resp or React keyword associated functions are not attached to
the
> > OTN (option tree node) of the rule (like other keywords) but they are
> > attached to the RTN (rule tree node) of the rule. Which means (I
suppose)
> > that all the rules with the same header will have the response triggered
> > and
> > will have their connections dropped. I found in the debug output that
the
> > previous default rule is on the same RTN (among others) of the one
> > created by
> > me.
> >
> > What is the reason for this implementation option, and how can I solve
this
> > problem (bug or not)?
> >
> > In the meanwhile I found out another strange small bug with the rev
> > keyword,
> > without it the rule does not respond with rst.
> >
> > These are problems only with the response feature, alerts are just fine!
> >
> >        Hoping for an answer,
> >
> >                MASM
>
> Hello,
>
> sp_repond hangs a RespondData pointer off an OTN, not an RTN as can be
> seen up towards the top of sp_respond.c :
>
> if(( rd = (RespondData *)calloc(sizeof(RespondData), sizeof(char))) ==
> NULL)
> {
>     FatalError("ERROR => sp_respnd RespondInit() calloc failed!\n");
> }
>
> rd->response_flag = ParseResponse(data);
>
> AddRspFuncToList(Respond, otn->proto_node, (void *)rd );
>
> The only way to implement something like sp_respond is to hang a test
> off an OTN.  An RTN is used entirely differently.
>
> If you are able to reproduce this consistently, I'll take a look at it.
>
> -Jeff
>
> --
> http://jeff.wwti.com            (pgp key available)
> "Common sense is the collection of prejudices acquired by age eighteen."
> - Albert Einstein
>





More information about the Snort-devel mailing list