[Snort-devel] dnp3 preprocesser: incorrect message when track_udp is disabled

Hui Cao hcao at ...402...
Thu Jul 18 15:53:28 EDT 2013


Hi Bram,

Thanks for reporting this. I will bug this.

Best,
Hui.

On Thu, Jul 18, 2013 at 3:10 PM, Bram <bram-fabeg at ...3414...> wrote:
> Hi,
>
>
> When 'track_udp' is set to 'no' in the stream5_global config then it causes
> the message "WARNING: DNP3 memcap exceeded" to be logged.
> This message is unexpected since the memory usage did not exceed the memcap.
>
> Configuration:
>         dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
>         preprocessor stream5_global: track_tcp yes, track_udp no
>         preprocessor stream5_tcp: policy first, ports client 20000
>         preprocessor stream5_udp: timeout 180
>
>         preprocessor dnp3: ports { 20000 } memcap 262144 check_crc
>         output alert_fast: stdout
>
> Running it:
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r
> /tmp/dnp3.cap
>
>         ...
>         Commencing packet processing (pid=14326)
>         07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
>         UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
>         Len: 4
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>         WARNING: DNP3 memcap exceeded.
>         07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
>         UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
>         Len: 4
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>         ...
>
>
>
> dynamic-preprocessors/dnp3/spp_dnp3.c line 504-521 contains:
>
>         /* Create session data and attach it to the Stream5 session */
>         tmp_bucket = DNP3CreateSessionData(packetp);
>
>         if (tmp_bucket == NULL)
>         {
>             /* Mempool was full, don't process this session. */
>             static unsigned int times_mempool_alloc_failed = 0;
>
>             /* Print a message, but only every 1000 times.
>                Don't want to flood the log if there's a lot of DNP3 traffic.
> */
>             if (times_mempool_alloc_failed % 1000)
>             {
>                 _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");
>             }
>             times_mempool_alloc_failed++;
>
>             PREPROC_PROFILE_END(dnp3PerfStats);
>             return;
>         }
>
>
> dynamic-preprocessors/dnp3/spp_dnp3.c line 578-592 contains:
>
>         static MemBucket * DNP3CreateSessionData(SFSnortPacket *packet)
>         {
>                 MemBucket *tmp_bucket = NULL;
>                 dnp3_session_data_t *data = NULL;
>
>                 /* Sanity Check */
>
>                 if (!packet || !packet->stream_session_ptr)
>                         return NULL;
>
>                 /* data = (dnp3_session_data_t *)calloc(1,
> sizeof(dnp3_session_data_t)); */
>
>                 tmp_bucket = mempool_alloc(dnp3_mempool);
>                 if (!tmp_bucket)
>                         return NULL;
>
>
> Checking it with gdb shows:
>         DNP3CreateSessionData (packet=3D0xbfffeff8) at spp_dnp3.c:580
>         580     in spp_dnp3.c
>         (gdb) print packet
>         $3 = (SFSnortPacket *) 0xbfffeff8
>         (gdb) print packet->stream_session_ptr
>         $4 = (void *) 0x0
>
> The 'stream_session_ptr' in packet is 0 -> the code returns NULL which
> causes tmp_bucket to become NULL which causes the message to be logged since
> it assumes this only happens when the memcap is full.
>
> My guess is that 'stream_session_ptr' is 0 because 'track_udp' is disabled
> but this wasn't investigated further.
>
>
>
> Best regards,
>
> Bram
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>




More information about the Snort-devel mailing list