[Snort-devel] [PATCH] dnp3 preprocesser: message "WARNING: DNP3 memcap exceeded" logged too often

Bram bram-fabeg at ...3414...
Thu Jul 18 15:12:03 EDT 2013


Hi,

This message is related to the previous message: "dnp3 preprocesser:  
incorrect message when track_udp is disabled".
The error was detected due to that bug.

The dnp3 preprocesser logs the message "WARNING: DNP3 memcap exceeded"  
  too many times.

dynamic-preprocessors/dnp3/spp_dnp3.c line 511-517 contains:
             /* Print a message, but only every 1000 times.
                Don't want to flood the log if there's a lot of DNP3  
traffic. */
             if (times_mempool_alloc_failed % 1000)
             {
                 _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");
             }
             times_mempool_alloc_failed++;


This code is incorrect and does the opposite of what it intended to do...

It logs the message 999 times out of 1000 instead of 1 time out of 1000.

Obvious fix:
             if (times_mempool_alloc_failed % 1000 == 0)


Patch for this is attached.

Configuration:
         dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
         preprocessor stream5_global: track_tcp yes, track_udp no
         preprocessor stream5_tcp: policy first, ports client 20000
         preprocessor stream5_udp: timeout 180

         preprocessor dnp3: ports { 20000 } memcap 262144 check_crc
         output alert_fast: stdout

Running it without patch:
         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r /tmp/dnp3.cap

	...
         Commencing packet processing (pid=14326)
         07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
         UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
         Len: 4
          
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

         WARNING: DNP3 memcap exceeded.
         07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
         UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
         Len: 4
          
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

         WARNING: DNP3 memcap exceeded.
         07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
         UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
         Len: 4
          
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
	...

=> Warning not shown on the first packet
=> Warning shown on the second and third packet


Running it with patch:
         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r /tmp/dnp3.cap

         Commencing packet processing (pid=15964)
         WARNING: DNP3 memcap exceeded.
         07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
         UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
         Len: 4
          
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

         07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
         UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
         Len: 4
          
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

         07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
         UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
         Len: 4
          
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=> Warning shown on the first packet
=> Warning not shown on the second and third packet


(Note: the fact that this message is logged for the attached capture  
file is incorrect - see other mail)


Best regards,

Bram

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnp3.cap
Type: application/octet-stream
Size: 252 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130718/b69eca26/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnp3_warning.patch
Type: text/x-diff
Size: 561 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130718/b69eca26/attachment.patch>


More information about the Snort-devel mailing list