[Snort-devel] stream5 drop_packet and drop_session are broken - breaks preprocessors

Nepenthes Development Team nepenthesdev at ...2499...
Fri Dec 29 15:18:43 EST 2006


Hi,

trying to write a little preprocessor I grabbed snort 2.6 cvs,
compiled it, installed it, started messing around with the dynamic
preprocessor code.

When it started working, the preprocessor was unable to drop packets
and sessions, and I had no idea why, now I know why, stream5 is
broken.
Maybe I was too optimistic in using stream5 even thought he config
meantions it as beta code, on the other hand, now as the problem is
known, one can fix it.

How to trigger the bug, compile snort for inline mode, ipq in my case,
start snort using the default config for stream5 from cvs, push
packets into the ip_queue.
Preprocessors detecting malicious activity and calling
_dpd.streamAPI->drop_packet(packetp);
or
_dpd.streamAPI->drop_traffic(packetp->stream_session_ptr, SSN_DIR_BOTH);
wont effect anything, no RST packets get send, no FIN packets,
nothing, the session still exists and works without problems.

Actually I have no idea whats wrong with stream5, but I guess some
people may want to use stream4 until this is fixed.

If you need my sample code to verify, please mail me off the list.
It is very easy, drop every 10th packets connection

	if ( fail % 10 == 0)
	{
		fail = 1;
		_dpd.logMsg("\033[31mdropping:\033[m session
%x\n",packetp->stream_session_ptr);
		_dpd.streamAPI->drop_packet(packetp);
		_dpd.streamAPI->drop_traffic(packetp->stream_session_ptr, SSN_DIR_BOTH);
	}else
	{
		fail++;
		_dpd.logMsg("allow session %x\n",packetp->stream_session_ptr);
	}

stream4 gives this:
allow session a4cf028
allow session a4cf860
allow session a4cf860
allow session a4cf860
allow session a4cf860
allow session a4cf860
allow session a4cf860
allow session a4cf860
allow session a4cf860
dropping: session a4cf860
allow session 0
allow session 0
allow session 0
allow session 0
allow session a4cf5e0
allow session a4cf5e0
allow session a4cf5e0
allow session a4cf5e0
allow session a4cf5e0
dropping: session a4cf5e0

dropped sessions are dead, the connections dies, I can see the
inserted packets with tcpdump


stream5 gives this:
dropping: session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
dropping: session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
allow session a4cd640
dropping: session a4cd640
allow session a4cd640
allow session a4cd640
...

the session survives every drop, no packets to finish are sent, it is broken.



MfG
Markus




More information about the Snort-devel mailing list