[Snort-devel] Session mixup by stream4

Andrew Rucker Jones arjones at ...2237...
Thu Feb 24 05:58:00 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Of course, there is a performance implication to doing that... Still, i
would rather have it than not. I'm going to try it out at work and see
if it helps.

		-&


Sonali Gupta wrote:
| Hi,
|
| Researching some more on this issue, I found that a session can look
| mangled due to a packet loss also.
|
| Snort uses one global variable (stream_pkt) for reassembling all the
| streams. So it is very important that the option
| "zero_flushed_packets" be enabled for the preprocessor
| stream4_reassemble. This will cause the global variable stream_pkt to
| be zero initialized after each stream reassemble. As a result, NULL
| characters will printed in all places where a packet is missed when
| the next stream is reassembled.
|
| If this option is not enabled, the data from a previous reassemble
| will remain and will be printed wherever a packet is missed. This will
| cause the session to look mangled at those places, but actually, it is
| because of a packet loss.
|
| Regards
| Sonali
|
|
| On Fri, 11 Feb 2005 14:25:33 +0100, Andrew Rucker Jones
| <arjones at ...2237...> wrote:
|
| The checksum thing isn't really the issue. The stream4 plugin really is
| mixing up packets. It does it a whole lot. I can't tell You how many
| times a day i see it at work. I have come to hate stream4. But i won't
| vent here, since i really should be thanking the developers for writing
| Snort at all. I have, however, reported one issue with stream4 and mixed
| up packets to the developers that they would not fix. Their reasoning
| was that they wanted to think through the implications and provide a
| complete solution to the problem instead of the patch i gave them. (The
| issue is with TCP window scaling.) Fair enough, but it doesn't seem to
| have happened yet.
|
|                        -&
|
|
| Jay Beale wrote:
| | Alex Butcher, ISC/ISYS wrote:
| |
| |> Hi -
| |>
| |> --On 08 February 2005 16:32 +0530 Sonali Gupta
| |> <sonali.gupta at ...2499...> wrote:
| |>
| |>> I have posted this query in the snort users mailing list also.
| |>>
| |>> I came across this post in the neohapsis archives, which discusses an
| |>> issue similar to what I seem to be facing.
| |>>
| |>> It is at:
| |>>
| |>> http://archives.neohapsis.com/archives/snort/2003-01/0858.html
| |>>
| |>> http://archives.neohapsis.com/archives/snort/2003-01/0872.html
| |>>
| |>> The discussion talks about a session payload mixup in data captured by
| |>> snort. I am also facing this issue in some sessions that I get from
| |>> snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in
| |>> both versions.
| |>
| |>
| |>
| |> I sometimes find alerts in my database that appear to be from mixed-up
| |> packets. The giveaway is that both the IP and TCP checksums are
| |> incorrect (ethereal reports that they are both 0x0000).
| |>
| |> I'm using Snort 2.3.0 release + FLoP.
| |>
| |> I'd send captures, but I've not found any pattern in what makes it
| |> happen. :-/
| |
| |
| | Before you get into a bug report, couldn't this just be flushed
| | uber-packets from stream4? When stream4's BuildPacket() creates an uber
| | packet out of a complete or partial stream, it doesn't compute IP or xDP
| | checksums, since these would be meaningless.
| |
| |  - Jay
| |
| |
| | -------------------------------------------------------
| | SF email is sponsored by - The IT Product Guide
| | Read honest & candid reviews on hundreds of IT Products from real users.
| | Discover which products truly live up to the hype. Start reading now.
| | http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
| | _______________________________________________
| | Snort-devel mailing list
| | Snort-devel at lists.sourceforge.net
| | https://lists.sourceforge.net/lists/listinfo/snort-devel
| |
|
| --
| GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
| Encrypt everything. / Alles verschlüsseln.
|

- -------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel




| -------------------------------------------------------
| SF email is sponsored by - The IT Product Guide
| Read honest & candid reviews on hundreds of IT Products from real users.
| Discover which products truly live up to the hype. Start reading now.
| http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
| _______________________________________________
| Snort-devel mailing list
| Snort-devel at lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/snort-devel


- --
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCHd0WoI7tqy5bNGMRAu75AKCYDfKMch9PQL/jZJX/7mYMiEIUyACeK8LG
OCxHhecI2eJB03vdRWMl+7w=
=lQ7K
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list