[Snort-devel] dnp3 preprocesser: incorrect message when track_udp is disabled

Bram bram-fabeg at ...3414...
Thu Jul 18 15:10:31 EDT 2013


When 'track_udp' is set to 'no' in the stream5_global config then it  
causes the message "WARNING: DNP3 memcap exceeded" to be logged.
This message is unexpected since the memory usage did not exceed the memcap.

         dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
         preprocessor stream5_global: track_tcp yes, track_udp no
         preprocessor stream5_tcp: policy first, ports client 20000
         preprocessor stream5_udp: timeout 180

         preprocessor dnp3: ports { 20000 } memcap 262144 check_crc
         output alert_fast: stdout

Running it:
         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r /tmp/dnp3.cap

         Commencing packet processing (pid=14326)
         07/20-14:07:30.865299 ->
         UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
         Len: 4

         WARNING: DNP3 memcap exceeded.
         07/20-14:07:32.019776 ->
         UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
         Len: 4

dynamic-preprocessors/dnp3/spp_dnp3.c line 504-521 contains:

         /* Create session data and attach it to the Stream5 session */
         tmp_bucket = DNP3CreateSessionData(packetp);

         if (tmp_bucket == NULL)
             /* Mempool was full, don't process this session. */
             static unsigned int times_mempool_alloc_failed = 0;

             /* Print a message, but only every 1000 times.
                Don't want to flood the log if there's a lot of DNP3  
traffic. */
             if (times_mempool_alloc_failed % 1000)
                 _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");


dynamic-preprocessors/dnp3/spp_dnp3.c line 578-592 contains:

         static MemBucket * DNP3CreateSessionData(SFSnortPacket *packet)
                 MemBucket *tmp_bucket = NULL;
                 dnp3_session_data_t *data = NULL;

                 /* Sanity Check */

                 if (!packet || !packet->stream_session_ptr)
                         return NULL;

                 /* data = (dnp3_session_data_t *)calloc(1,  
sizeof(dnp3_session_data_t)); */

                 tmp_bucket = mempool_alloc(dnp3_mempool);
                 if (!tmp_bucket)
                         return NULL;

Checking it with gdb shows:
         DNP3CreateSessionData (packet=3D0xbfffeff8) at spp_dnp3.c:580
         580     in spp_dnp3.c
         (gdb) print packet
         $3 = (SFSnortPacket *) 0xbfffeff8
         (gdb) print packet->stream_session_ptr
         $4 = (void *) 0x0

The 'stream_session_ptr' in packet is 0 -> the code returns NULL which  
causes tmp_bucket to become NULL which causes the message to be logged  
since it assumes this only happens when the memcap is full.

My guess is that 'stream_session_ptr' is 0 because 'track_udp' is  
disabled but this wasn't investigated further.

Best regards,


This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnp3.cap
Type: application/octet-stream
Size: 252 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130718/41b1a369/attachment.obj>

More information about the Snort-devel mailing list