[Snort-devel] possible preprocessor stream4 keepstats bug

Paul pjc at ...2577...
Wed Jul 14 13:05:44 EDT 2004


hi all,

version:snort-2.2.0RC1

this may be a topic for debate but it seem to me that the
"keepstats" on the preprocessor stream4: configuration
command should honor the "ports" definition on the
preprocessor stream4_reassemble:  configuration command.
what i see happening is stats are kept for all sessions
rather than the selected ports.

i've generated a working patch to illustrate my point along
with a sample snort.conf file: 

-----------------------------
snort.conf
-----------------------------
 
#var HOME_NET any
#var EXTERNAL_NET any
#var SMTP $HOME_NET
#var HTTP_SERVERS $HOME_NET
#var SQL_SERVERS $HOME_NET
#var DNS_SERVERS $HOME_NET
##
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
##
preprocessor stream4: disable_evasion_alerts, keepstats
preprocessor stream4_reassemble: both, noalerts, ports 21
##
#include classification.config
log tcp 192.168.0.0/16 any <> any 21 (session: printable;)

--------------------------------
patch
--------------------------------
# diff spp_stream4.c spp_stream4.c.orig
2950d2949
<     int SessPort = 0;
2956,2958d2954
<     if(s4data.assemble_ports[ssn->server.port] == 1 || s4data.assemble_ports[ssn->client.port]==1) {
<       SessPort = 1;
<     }
2960c2956
<     if(s4data.track_stats_flag == STATS_HUMAN_READABLE && SessPort)
---
>     if(s4data.track_stats_flag == STATS_HUMAN_READABLE)
2987c2983
<     else if(s4data.track_stats_flag == STATS_MACHINE_READABLE && SessPort)
---
>     else if(s4data.track_stats_flag == STATS_MACHINE_READABLE)
3013c3009
<     else if(s4data.track_stats_flag == STATS_BINARY && SessPort)
---
>     else if(s4data.track_stats_flag == STATS_BINARY)

--------------------------------

thanks
/pc

Paul
------------




More information about the Snort-devel mailing list