[Snort-devel] Patch to fix plugbase.c error (XML and Database ascii output)

Brian Dinello briandinello at ...445...
Fri May 2 08:29:13 EDT 2003


All:


Issue:
------
VigilantMinds found a bug in plugbase.c shipped with Snort 2.0 that 
erroneously checks the characters '<', '>', and '&' in the data field of a 
matched packet.  When one of these characters is detected, the data field is 
replaced by the ascii representation of the chanter in question.

It appears that only two output plugins, XML and Database, have been 
effected by the faulty function in plugbase.c.


Symptoms:
---------
Normal XML output, when written to a file, looks like this:

  <event version="1.0">
    <sensor encoding="ascii" detail="full">
      <interface>any</interface>
      <ipaddr version="4"/>
      <hostname>xxxxxx.vigilantminds.com</hostname>
      <filter>not host localhost</filter>
    </sensor>
    <signature id="1568" revision="4" priority="1" class="VigilantMinds"/>
    <timestamp>2003-05-01 00:21:27-05</timestamp>
    <packet>
      <iphdr saddr="xxx.xxx.69.85" daddr="xxx.xxx.179.19" proto="6" ver="4" 
hlen="5" len="552" id="15840" ttl="113" csum="62408">
        <tcphdr sport="1041" dport="80" flags="16" seq="1102823914" 
ack="1307735971" off="5" win="9216" csum="14317">
          <data>GET /exchange/root.asp HTTP/1.1..Accept: <image/gif>, 
<image/x-xbitmap>, <image/jpeg></data>
        </tcphdr>
      </iphdr>
    </packet>
  </event>


Since the upgrade to Snort 2.0 and the re-addition of the XML plugin, it has 
sporadically looked like this:

  <event version="1.0">
    <sensor encoding="ascii" detail="full">
      <interface>any</interface>
      <ipaddr version="4"/>
      <hostname>xxxxxx.vigilantminds.com</hostname>
      <filter>not host localhost</filter>
    </sensor>
    <signature id="1568" revision="4" priority="1" class="VigilantMinds"/>
    <timestamp>2003-05-01 00:21:27-05</timestamp>
    <packet>
      <iphdr saddr="xxx.xxx.69.85" daddr="xxx.xxx.179.19" proto="6" ver="4" 
hlen="5" len="552" id="15840" ttl="113" csum="62408">
        <tcphdr sport="1041" dport="80" flags="16" seq="1102823914" 
ack="1307735971" off="5" win="9216" csum="14317">
          <data>></data>
        </tcphdr>
      </iphdr>
    </packet>
  </event>


Fix:
----

Patch plugbase.c with the diff and recompile.

plugbase.c diff:
1580c1576
<                  strcat(ret_val, "<");
---
>                  strncpy(ret_val, "<", size - (d_ptr - ret_val));
1585c1581
<                  strcat(ret_val, "&");
---
>                  strncpy(ret_val, "&", size - (d_ptr - ret_val));
1590c1586
<                  strcat(ret_val, ">");
---
>                  strncpy(ret_val, ">", size - (d_ptr - ret_val));



_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail





More information about the Snort-devel mailing list