[Snort-devel] Problems with Snort 2.4.0 on SPARC
Andrew Rucker Jones
arjones at ...2237...
Wed Aug 10 08:02:20 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Snort 2.4.0 with the stream4_reassemble preprocessor on SPARC (and
likely other architectures, but not Intel, of course) in an Ethernet
network does not work. Took me a while to figure this one out, but i got it:
Packets captured off of the wire with libpcap are such that the Ethernet
header starts on a 16-bit word boundary, but not a 32-bit word boundary.
The Ethernet header is 14 bytes, meaning the IP Header starts on a
32-bit word boundary. Perfect.
The problem comes when the packet is saved for later. In
StoreStreamPkt() in spp_stream4.c, memory is allocated for the packet,
and the data are memcopy()ed into the buffer. The buffer, however,
starts on a 32-bit word boundary, meaning the IP Header, when later used
in FlushDeletedStream()/DecodeEthPkt()/DecodeIP() is not aligned on a
32-bit word boudary. This first causes problems in IPHdrTests() in the
comparison of source and destination addresses to guard against a LAND
attack. Commenting that out will produce the same problem later during
the calculation of the TCP checksum.
End of the story: Bus Error.
I am not providing a patch, because i honestly don't know how the Snort
development team would like to solve this.
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Snort-devel