[Snort-devel] [Snort-users] 188.8.131.52 performance issue
eoin.miller at ...3055...
Thu Nov 18 12:01:33 EST 2010
On 11/18/2010 4:26 PM, L0rd Ch0de1m0rt wrote:
> Hello. To be clear, there is no fix for the "http_inspect\stream
> reassembly" bug at the moment (if there is a fix in SVN, let me know
> so I can take action here b/c this is seriously a non-trivial bug for
> me). Apparently it is an issue with Stream5 having premature buffer
> flushing issues.
> Government/Critical Infrastructure companies take note: this bug leads
> to easy IDS/IPS evasion and this issue, "predates Snort 2.9.0"
> according to Sourcefire.
> -L0rd C.
> On Thu, Nov 18, 2010 at 10:09 AM, matan monitz<mmonitz at ...2499...> wrote:
>> sounds related to the http_inspect\stream reassembly bugfix
The stream reassembly+http_inspect bug has been around for quite some
time. The one that got fixed recently with http_inspect was the
chunked+gzip bug that had also been around for quite some time.
http_inspect would do either dechuning or gunzip'ing, but not both. So
if a client downloaded gzip'd http that was chunked, http_inspect would
dechunk it (but not gunzip it) before shoving it off to the rules engine
for inspection. This got fixed in 2.9.0 though, so I wouldn't think that
is the reason for the code change between 2.9.0 and 184.108.40.206.
More information about the Snort-devel