[Snort-devel] Problems with Snort 2.4.0 on SPARC

Andrew Rucker Jones arjones at ...2237...
Wed Aug 10 08:02:20 EDT 2005

Hash: RIPEMD160

Hi all,

Snort 2.4.0 with the stream4_reassemble preprocessor on SPARC (and
likely other architectures, but not Intel, of course) in an Ethernet
network does not work. Took me a while to figure this one out, but i got it:

Packets captured off of the wire with libpcap are such that the Ethernet
header starts on a 16-bit word boundary, but not a 32-bit word boundary.
The Ethernet header is 14 bytes, meaning the IP Header starts on a
32-bit word boundary. Perfect.

The problem comes when the packet is saved for later. In
StoreStreamPkt() in spp_stream4.c, memory is allocated for the packet,
and the data are memcopy()ed into the buffer. The buffer, however,
starts on a 32-bit word boundary, meaning the IP Header, when later used
in FlushDeletedStream()/DecodeEthPkt()/DecodeIP() is not aligned on a
32-bit word boudary. This first causes problems in IPHdrTests() in the
comparison of source and destination addresses to guard against a LAND
attack. Commenting that out will produce the same problem later during
the calculation of the TCP checksum.

End of the story: Bus Error.

I am not providing a patch, because i honestly don't know how the Snort
development team would like to solve this.

- --
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.

Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


More information about the Snort-devel mailing list