[Snort-devel] stream5 drop_packet and drop_session are broken - breaks preprocessors

Steven Sturges steve.sturges at ...402...
Fri Dec 29 15:30:34 EST 2006


Hi Markus--

Thanks for the report... That code is currently still in
a TODO comment block -- have a look at
preprocessors/Stream5/snort_stream5_tcp.c, line 3960
(+/- a few lines).

Cheers.
-steve

Nepenthes Development Team wrote:
> Hi,
> 
> trying to write a little preprocessor I grabbed snort 2.6 cvs,
> compiled it, installed it, started messing around with the dynamic
> preprocessor code.
> 
> When it started working, the preprocessor was unable to drop packets
> and sessions, and I had no idea why, now I know why, stream5 is
> broken.
> Maybe I was too optimistic in using stream5 even thought he config
> meantions it as beta code, on the other hand, now as the problem is
> known, one can fix it.
> 
> How to trigger the bug, compile snort for inline mode, ipq in my case,
> start snort using the default config for stream5 from cvs, push
> packets into the ip_queue.
> Preprocessors detecting malicious activity and calling
> _dpd.streamAPI->drop_packet(packetp);
> or
> _dpd.streamAPI->drop_traffic(packetp->stream_session_ptr, SSN_DIR_BOTH);
> wont effect anything, no RST packets get send, no FIN packets,
> nothing, the session still exists and works without problems.
> 
> Actually I have no idea whats wrong with stream5, but I guess some
> people may want to use stream4 until this is fixed.
> 
> If you need my sample code to verify, please mail me off the list.
> It is very easy, drop every 10th packets connection
> 
> 	if ( fail % 10 == 0)
> 	{
> 		fail = 1;
> 		_dpd.logMsg("\033[31mdropping:\033[m session
> %x\n",packetp->stream_session_ptr);
> 		_dpd.streamAPI->drop_packet(packetp);
> 		_dpd.streamAPI->drop_traffic(packetp->stream_session_ptr, SSN_DIR_BOTH);
> 	}else
> 	{
> 		fail++;
> 		_dpd.logMsg("allow session %x\n",packetp->stream_session_ptr);
> 	}
> 
> stream4 gives this:
> allow session a4cf028
> allow session a4cf860
> allow session a4cf860
> allow session a4cf860
> allow session a4cf860
> allow session a4cf860
> allow session a4cf860
> allow session a4cf860
> allow session a4cf860
> dropping: session a4cf860
> allow session 0
> allow session 0
> allow session 0
> allow session 0
> allow session a4cf5e0
> allow session a4cf5e0
> allow session a4cf5e0
> allow session a4cf5e0
> allow session a4cf5e0
> dropping: session a4cf5e0
> 
> dropped sessions are dead, the connections dies, I can see the
> inserted packets with tcpdump
> 
> 
> stream5 gives this:
> dropping: session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> dropping: session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> allow session a4cd640
> dropping: session a4cd640
> allow session a4cd640
> allow session a4cd640
> ...
> 
> the session survives every drop, no packets to finish are sent, it is broken.
> 
> 
> 
> MfG
> Markus
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list