[Snort-devel] [Snort-users] 2.9.0.1 performance issue

Eoin Miller eoin.miller at ...3055...
Thu Nov 18 12:01:33 EST 2010


On 11/18/2010 4:26 PM, L0rd Ch0de1m0rt wrote:
> Hello.  To be clear, there is no fix for the "http_inspect\stream
> reassembly" bug at the moment (if there is a fix in SVN, let me know
> so I can take action here b/c this is seriously a non-trivial bug for
> me).  Apparently it is an issue with Stream5 having premature buffer
> flushing issues.
>
> Government/Critical Infrastructure companies take note: this bug leads
> to easy IDS/IPS evasion and this issue, "predates Snort 2.9.0"
> according to Sourcefire.
>
> -L0rd C.
>
> On Thu, Nov 18, 2010 at 10:09 AM, matan monitz<mmonitz at ...2499...>  wrote:
>> sounds related to the http_inspect\stream reassembly bugfix
>>
The stream reassembly+http_inspect bug has been around for quite some 
time. The one that got fixed recently with http_inspect was the 
chunked+gzip bug that had also been around for quite some time. 
http_inspect would do either dechuning or gunzip'ing, but not both. So 
if a client downloaded gzip'd http that was chunked, http_inspect would 
dechunk it (but not gunzip it) before shoving it off to the rules engine 
for inspection. This got fixed in 2.9.0 though, so I wouldn't think that 
is the reason for the code change between 2.9.0 and 2.9.0.1.

-- Eoin




More information about the Snort-devel mailing list