[Snort-devel] Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit

Brett Edgar brett.edgar at ...2499...
Wed Jul 25 11:17:07 EDT 2012


Update: the *exact* ./configure command was:

./configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
--localstatedir=/var/lib --libdir=/usr/lib64 --enable-shared
--disable-static --enable-sourcefire --disable-so-with-static-lib
--enable-dynamicplugin --disable-control-socket --enable-ipv6
--enable-zlib --enable-gre --enable-mpls --enable-targetbased
--enable-ppm --enable-perfprofiling --enable-linux-smp-stats
--disable-inline-init-failopen --enable-pthread --disable-debug
--disable-debug-msgs --disable-corefiles --disable-gdb
--enable-dlclose --enable-active-response --enable-normalizer
--enable-reload --enable-reload-error-restart --enable-react
--enable-flexresp3 --enable-paf --disable-large-pcap
--disable-rzb-saac --disable-build-dynamic-examples --disable-profile
--disable-ppm-test --disable-intel-soft-cpm --disable-static-daq
--disable-rzb-saac

Gentoo ebuilds make ./configure a little wordy. :)  FYI, this is my
own ebuild, not an official Gentoo one, not that that should matter.

GCC version is 4.5.3.

Also, I am a C programmer and I have done my homework: I have examined
the code changes for http_inspect between 2.9.2.3 and 2.9.3, and
nothing jumps out at me as being problematic...

-Brett

On Wed, Jul 25, 2012 at 10:11 AM, Brett Edgar <brett.edgar at ...2499...> wrote:
> After upgrading a handful of x64 IDS sensors from Snort 2.9.2.3 to
> Snort 2.9.3.0, I have noticed an enormous increase (almost 45 times
> higher) in GZIP decompression failures (sig 120:6) coming from the
> http_inspect preprocessor.  The only other package that was updated
> with the move to Snort 2.9.3 was the Sourcefire DAQ library (from
> 0.6.2 to 1.1.1).
>
> Since the VRT did not recommend any snort.conf changes, my Snort
> configuration was not changed aside from moving to the 2.9.3.0
> subscription rule set (from 2.9.2.3).  The http_inspect configuration
> is identical to what I was using with 2.9.2.3.
>
> What's bothersome is that I do NOT see the same increase on some x86
> (32-bit) sensors that were upgraded at the same time.
>
> I'm using Gentoo as my distro.  My x86 and x64 versions are compiled
> identically and linked against the same packages.  Snort was compiled
> with --enable-sourcefire --linux-smp-stats and
> --enable-reload-error-restart.  It is linked with zlib 1.2.5, libpcap
> 1.1.1, libdnet 1.11, daq 1.1.1, and libpcre 8.30.
>
> Since I've only seen the 120:6 alert increase on 64-bit systems, I'm
> thinking there was some code change that may be using the wrong size
> integers?
>
> -Brett




More information about the Snort-devel mailing list