[Snort-devel] Snort >= 2.1.3 TCP/IP options bug

Martin Roesch roesch at ...402...
Thu Oct 14 11:53:26 EDT 2004

Hi Evrim,

I wasn't criticizing you, I was just pointing it out to answer your 

As for frag3, it's marked "experimental" for a reason...

The testing I have done on it so far includes multimode reassembly 
using nemesis to generate packets in specific sequences to recreate the 
Paxson test set results, fragroute runs including the problem areas 
that Dug Song pointed out a couple years ago, a 900MB defcon pcap that 
includes some extremely hostile fragmented traffic for stress testing 
and verifying the multimode memory management, timeouts, and engine 
selection logic, and data sets generated by the Sourcefire Research 
Group.  We're also testing with Blade Software's IDS Informer in 
various fragment modes.

Right now it's passing all of these tests but I wanted to get some 
field time for the code which is why it's in CVS and marked 
experimental right now, it looks like it works properly but until I see 
some reports from users that it's working in their live environments 
I'm not going to be happy with it.

As for a unit testing framework, all I have implemented so far is the 
integrated DEBUG_WRAP'd statements that you can activate by adding 
--enable-debug at the ./configure command line and setting 
SNORT_DEBUG=131072 as an environment variable before you run Snort.  
It's not an automated testing framework, but it gets the job done.  If 
you want to see what's frag3 is up to, that'll show you and you can 
determine if it's working properly in an empirical fashion (don't 
forget the -dv flags so you can see the input packets).


On Oct 14, 2004, at 11:58 AM, Evrim ULU wrote:

> Hash: SHA1
> Martin Roesch wrote:
> | Hey Evrim,
> |
> | It looks like it was built on a linux system so the TCP data 
> structures
> | don't map 1-to-1 over to *BSD systems.  It's also missing an include
> | file before netinet/ip.h for the definition of n_long, looks like it
> | needs in_systm.h on OS X.  Here's gcc output on my Mac (OS X 10.3.5):
> |
> Ok, send me the portable version then. Btw, could you post your unit
> testing framework for frag3 module. W/o unit tests i can't debug it to
> find bugs.
> Evrim.
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFBbqI3R2rUfDW+YFIRAoqSAKCtg4ohgrHu3K44oUhy2ewjghPWGgCfV+91
> BUOfBbbr7q14o6itKBsBFTo=
> =1tZ7
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-devel mailing list