[Snort-devel] Snort >= 2.1.3 TCP/IP options bug
roesch at ...402...
Thu Oct 14 11:53:26 EDT 2004
I wasn't criticizing you, I was just pointing it out to answer your
As for frag3, it's marked "experimental" for a reason...
The testing I have done on it so far includes multimode reassembly
using nemesis to generate packets in specific sequences to recreate the
Paxson test set results, fragroute runs including the problem areas
that Dug Song pointed out a couple years ago, a 900MB defcon pcap that
includes some extremely hostile fragmented traffic for stress testing
and verifying the multimode memory management, timeouts, and engine
selection logic, and data sets generated by the Sourcefire Research
Group. We're also testing with Blade Software's IDS Informer in
various fragment modes.
Right now it's passing all of these tests but I wanted to get some
field time for the code which is why it's in CVS and marked
experimental right now, it looks like it works properly but until I see
some reports from users that it's working in their live environments
I'm not going to be happy with it.
As for a unit testing framework, all I have implemented so far is the
integrated DEBUG_WRAP'd statements that you can activate by adding
--enable-debug at the ./configure command line and setting
SNORT_DEBUG=131072 as an environment variable before you run Snort.
It's not an automated testing framework, but it gets the job done. If
you want to see what's frag3 is up to, that'll show you and you can
determine if it's working properly in an empirical fashion (don't
forget the -dv flags so you can see the input packets).
On Oct 14, 2004, at 11:58 AM, Evrim ULU wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Martin Roesch wrote:
> | Hey Evrim,
> | It looks like it was built on a linux system so the TCP data
> | don't map 1-to-1 over to *BSD systems. It's also missing an include
> | file before netinet/ip.h for the definition of n_long, looks like it
> | needs in_systm.h on OS X. Here's gcc output on my Mac (OS X 10.3.5):
> Ok, send me the portable version then. Btw, could you post your unit
> testing framework for frag3 module. W/o unit tests i can't debug it to
> find bugs.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel