[Snort-devel] Session mixup by stream4

Sonali Gupta sonali.gupta at ...2499...
Thu Feb 24 05:42:06 EST 2005


Hi,

Researching some more on this issue, I found that a session can look
mangled due to a packet loss also.

Snort uses one global variable (stream_pkt) for reassembling all the
streams. So it is very important that the option
"zero_flushed_packets" be enabled for the preprocessor
stream4_reassemble. This will cause the global variable stream_pkt to
be zero initialized after each stream reassemble. As a result, NULL
characters will printed in all places where a packet is missed when
the next stream is reassembled.

If this option is not enabled, the data from a previous reassemble
will remain and will be printed wherever a packet is missed. This will
cause the session to look mangled at those places, but actually, it is
because of a packet loss.

Regards
Sonali


On Fri, 11 Feb 2005 14:25:33 +0100, Andrew Rucker Jones
<arjones at ...2237...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> The checksum thing isn't really the issue. The stream4 plugin really is
> mixing up packets. It does it a whole lot. I can't tell You how many
> times a day i see it at work. I have come to hate stream4. But i won't
> vent here, since i really should be thanking the developers for writing
> Snort at all. I have, however, reported one issue with stream4 and mixed
> up packets to the developers that they would not fix. Their reasoning
> was that they wanted to think through the implications and provide a
> complete solution to the problem instead of the patch i gave them. (The
> issue is with TCP window scaling.) Fair enough, but it doesn't seem to
> have happened yet.
> 
>                        -&
> 
> 
> Jay Beale wrote:
> | Alex Butcher, ISC/ISYS wrote:
> |
> |> Hi -
> |>
> |> --On 08 February 2005 16:32 +0530 Sonali Gupta
> |> <sonali.gupta at ...2499...> wrote:
> |>
> |>> I have posted this query in the snort users mailing list also.
> |>>
> |>> I came across this post in the neohapsis archives, which discusses an
> |>> issue similar to what I seem to be facing.
> |>>
> |>> It is at:
> |>>
> |>> http://archives.neohapsis.com/archives/snort/2003-01/0858.html
> |>>
> |>> http://archives.neohapsis.com/archives/snort/2003-01/0872.html
> |>>
> |>> The discussion talks about a session payload mixup in data captured by
> |>> snort. I am also facing this issue in some sessions that I get from
> |>> snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in
> |>> both versions.
> |>
> |>
> |>
> |> I sometimes find alerts in my database that appear to be from mixed-up
> |> packets. The giveaway is that both the IP and TCP checksums are
> |> incorrect (ethereal reports that they are both 0x0000).
> |>
> |> I'm using Snort 2.3.0 release + FLoP.
> |>
> |> I'd send captures, but I've not found any pattern in what makes it
> |> happen. :-/
> |
> |
> | Before you get into a bug report, couldn't this just be flushed
> | uber-packets from stream4? When stream4's BuildPacket() creates an uber
> | packet out of a complete or partial stream, it doesn't compute IP or xDP
> | checksums, since these would be meaningless.
> |
> |  - Jay
> |
> |
> | -------------------------------------------------------
> | SF email is sponsored by - The IT Product Guide
> | Read honest & candid reviews on hundreds of IT Products from real users.
> | Discover which products truly live up to the hype. Start reading now.
> | http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> | _______________________________________________
> | Snort-devel mailing list
> | Snort-devel at lists.sourceforge.net
> | https://lists.sourceforge.net/lists/listinfo/snort-devel
> |
> 
> - --
> GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
> Encrypt everything. / Alles verschlüsseln.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFCDLJMoI7tqy5bNGMRAm/MAJ45aCa0PJixQf9ZY1jz+LOv4lAh9ACgsJja
> aDfNYCN6UUO9n5+4MI5XHqA=
> =I2Ec
> -----END PGP SIGNATURE-----
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list