[Snort-devel] Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit

Matt Watchinski mwatchinski at ...402...
Wed Jul 25 22:26:36 EDT 2012


Have pcaps and a snort.conf that replicate the issue?

Cheers,
-matt

On Wed, Jul 25, 2012 at 11:17 AM, Brett Edgar <brett.edgar at ...2499...> wrote:
> Update: the *exact* ./configure command was:
>
> ./configure --prefix=/usr --build=x86_64-pc-linux-gnu
> --host=x86_64-pc-linux-gnu --mandir=/usr/share/man
> --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
> --localstatedir=/var/lib --libdir=/usr/lib64 --enable-shared
> --disable-static --enable-sourcefire --disable-so-with-static-lib
> --enable-dynamicplugin --disable-control-socket --enable-ipv6
> --enable-zlib --enable-gre --enable-mpls --enable-targetbased
> --enable-ppm --enable-perfprofiling --enable-linux-smp-stats
> --disable-inline-init-failopen --enable-pthread --disable-debug
> --disable-debug-msgs --disable-corefiles --disable-gdb
> --enable-dlclose --enable-active-response --enable-normalizer
> --enable-reload --enable-reload-error-restart --enable-react
> --enable-flexresp3 --enable-paf --disable-large-pcap
> --disable-rzb-saac --disable-build-dynamic-examples --disable-profile
> --disable-ppm-test --disable-intel-soft-cpm --disable-static-daq
> --disable-rzb-saac
>
> Gentoo ebuilds make ./configure a little wordy. :)  FYI, this is my
> own ebuild, not an official Gentoo one, not that that should matter.
>
> GCC version is 4.5.3.
>
> Also, I am a C programmer and I have done my homework: I have examined
> the code changes for http_inspect between 2.9.2.3 and 2.9.3, and
> nothing jumps out at me as being problematic...
>
> -Brett
>
> On Wed, Jul 25, 2012 at 10:11 AM, Brett Edgar <brett.edgar at ...2499...> wrote:
>> After upgrading a handful of x64 IDS sensors from Snort 2.9.2.3 to
>> Snort 2.9.3.0, I have noticed an enormous increase (almost 45 times
>> higher) in GZIP decompression failures (sig 120:6) coming from the
>> http_inspect preprocessor.  The only other package that was updated
>> with the move to Snort 2.9.3 was the Sourcefire DAQ library (from
>> 0.6.2 to 1.1.1).
>>
>> Since the VRT did not recommend any snort.conf changes, my Snort
>> configuration was not changed aside from moving to the 2.9.3.0
>> subscription rule set (from 2.9.2.3).  The http_inspect configuration
>> is identical to what I was using with 2.9.2.3.
>>
>> What's bothersome is that I do NOT see the same increase on some x86
>> (32-bit) sensors that were upgraded at the same time.
>>
>> I'm using Gentoo as my distro.  My x86 and x64 versions are compiled
>> identically and linked against the same packages.  Snort was compiled
>> with --enable-sourcefire --linux-smp-stats and
>> --enable-reload-error-restart.  It is linked with zlib 1.2.5, libpcap
>> 1.1.1, libdnet 1.11, daq 1.1.1, and libpcre 8.30.
>>
>> Since I've only seen the 120:6 alert increase on 64-bit systems, I'm
>> thinking there was some code change that may be using the wrong size
>> integers?
>>
>> -Brett
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Matthew Watchinski
V.P. Vulnerability Research (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/




More information about the Snort-devel mailing list