[Snort-devel] Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit

Brett Edgar brett.edgar at ...2499...
Wed Jul 25 11:11:21 EDT 2012


After upgrading a handful of x64 IDS sensors from Snort 2.9.2.3 to
Snort 2.9.3.0, I have noticed an enormous increase (almost 45 times
higher) in GZIP decompression failures (sig 120:6) coming from the
http_inspect preprocessor.  The only other package that was updated
with the move to Snort 2.9.3 was the Sourcefire DAQ library (from
0.6.2 to 1.1.1).

Since the VRT did not recommend any snort.conf changes, my Snort
configuration was not changed aside from moving to the 2.9.3.0
subscription rule set (from 2.9.2.3).  The http_inspect configuration
is identical to what I was using with 2.9.2.3.

What's bothersome is that I do NOT see the same increase on some x86
(32-bit) sensors that were upgraded at the same time.

I'm using Gentoo as my distro.  My x86 and x64 versions are compiled
identically and linked against the same packages.  Snort was compiled
with --enable-sourcefire --linux-smp-stats and
--enable-reload-error-restart.  It is linked with zlib 1.2.5, libpcap
1.1.1, libdnet 1.11, daq 1.1.1, and libpcre 8.30.

Since I've only seen the 120:6 alert increase on 64-bit systems, I'm
thinking there was some code change that may be using the wrong size
integers?

-Brett




More information about the Snort-devel mailing list