[Snort-devel] Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit

Brett Edgar brett.edgar at ...2499...
Thu Jul 26 10:34:16 EDT 2012


Matt, I will share those with you off-list.

-Brett

On Wed, Jul 25, 2012 at 9:26 PM, Matt Watchinski
<mwatchinski at ...402...> wrote:
> Have pcaps and a snort.conf that replicate the issue?
>
> Cheers,
> -matt
>
> On Wed, Jul 25, 2012 at 11:17 AM, Brett Edgar <brett.edgar at ...2499...> wrote:
>> Update: the *exact* ./configure command was:
>>
>> ./configure --prefix=/usr --build=x86_64-pc-linux-gnu
>> --host=x86_64-pc-linux-gnu --mandir=/usr/share/man
>> --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
>> --localstatedir=/var/lib --libdir=/usr/lib64 --enable-shared
>> --disable-static --enable-sourcefire --disable-so-with-static-lib
>> --enable-dynamicplugin --disable-control-socket --enable-ipv6
>> --enable-zlib --enable-gre --enable-mpls --enable-targetbased
>> --enable-ppm --enable-perfprofiling --enable-linux-smp-stats
>> --disable-inline-init-failopen --enable-pthread --disable-debug
>> --disable-debug-msgs --disable-corefiles --disable-gdb
>> --enable-dlclose --enable-active-response --enable-normalizer
>> --enable-reload --enable-reload-error-restart --enable-react
>> --enable-flexresp3 --enable-paf --disable-large-pcap
>> --disable-rzb-saac --disable-build-dynamic-examples --disable-profile
>> --disable-ppm-test --disable-intel-soft-cpm --disable-static-daq
>> --disable-rzb-saac
>>
>> Gentoo ebuilds make ./configure a little wordy. :)  FYI, this is my
>> own ebuild, not an official Gentoo one, not that that should matter.
>>
>> GCC version is 4.5.3.
>>
>> Also, I am a C programmer and I have done my homework: I have examined
>> the code changes for http_inspect between 2.9.2.3 and 2.9.3, and
>> nothing jumps out at me as being problematic...
>>
>> -Brett
>>
>> On Wed, Jul 25, 2012 at 10:11 AM, Brett Edgar <brett.edgar at ...2499...> wrote:
>>> After upgrading a handful of x64 IDS sensors from Snort 2.9.2.3 to
>>> Snort 2.9.3.0, I have noticed an enormous increase (almost 45 times
>>> higher) in GZIP decompression failures (sig 120:6) coming from the
>>> http_inspect preprocessor.  The only other package that was updated
>>> with the move to Snort 2.9.3 was the Sourcefire DAQ library (from
>>> 0.6.2 to 1.1.1).
>>>
>>> Since the VRT did not recommend any snort.conf changes, my Snort
>>> configuration was not changed aside from moving to the 2.9.3.0
>>> subscription rule set (from 2.9.2.3).  The http_inspect configuration
>>> is identical to what I was using with 2.9.2.3.
>>>
>>> What's bothersome is that I do NOT see the same increase on some x86
>>> (32-bit) sensors that were upgraded at the same time.
>>>
>>> I'm using Gentoo as my distro.  My x86 and x64 versions are compiled
>>> identically and linked against the same packages.  Snort was compiled
>>> with --enable-sourcefire --linux-smp-stats and
>>> --enable-reload-error-restart.  It is linked with zlib 1.2.5, libpcap
>>> 1.1.1, libdnet 1.11, daq 1.1.1, and libpcre 8.30.
>>>
>>> Since I've only seen the 120:6 alert increase on 64-bit systems, I'm
>>> thinking there was some code change that may be using the wrong size
>>> integers?
>>>
>>> -Brett
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> --
> Matthew Watchinski
> V.P. Vulnerability Research (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-blog.snort.org && http://www.snort.org/vrt/




More information about the Snort-devel mailing list