[Snort-devel] Enormous increase in GZIP Decompression failures with 2.9.3 vs 22.214.171.124 on 64-bit
brett.edgar at ...2499...
Wed Jul 25 11:11:21 EDT 2012
After upgrading a handful of x64 IDS sensors from Snort 126.96.36.199 to
Snort 188.8.131.52, I have noticed an enormous increase (almost 45 times
higher) in GZIP decompression failures (sig 120:6) coming from the
http_inspect preprocessor. The only other package that was updated
with the move to Snort 2.9.3 was the Sourcefire DAQ library (from
0.6.2 to 1.1.1).
Since the VRT did not recommend any snort.conf changes, my Snort
configuration was not changed aside from moving to the 184.108.40.206
subscription rule set (from 220.127.116.11). The http_inspect configuration
is identical to what I was using with 18.104.22.168.
What's bothersome is that I do NOT see the same increase on some x86
(32-bit) sensors that were upgraded at the same time.
I'm using Gentoo as my distro. My x86 and x64 versions are compiled
identically and linked against the same packages. Snort was compiled
with --enable-sourcefire --linux-smp-stats and
--enable-reload-error-restart. It is linked with zlib 1.2.5, libpcap
1.1.1, libdnet 1.11, daq 1.1.1, and libpcre 8.30.
Since I've only seen the 120:6 alert increase on 64-bit systems, I'm
thinking there was some code change that may be using the wrong size
More information about the Snort-devel