[Snort-devel] [PATCH] dnp3 preprocesser: message "WARNING: DNP3 memcap exceeded" logged too often

Bram bram-fabeg at ...3414...
Wed Sep 18 15:33:41 EDT 2013


Was this message taken into consideration? (I received no reply)


Quoting Bram <bram-fabeg at ...3414...>:

> Hi,
>
> This message is related to the previous message: "dnp3 preprocesser:  
>  incorrect message when track_udp is disabled".
> The error was detected due to that bug.
>
> The dnp3 preprocesser logs the message "WARNING: DNP3 memcap  
> exceeded"   too many times.
>
> dynamic-preprocessors/dnp3/spp_dnp3.c line 511-517 contains:
>             /* Print a message, but only every 1000 times.
>                Don't want to flood the log if there's a lot of DNP3   
> traffic. */
>             if (times_mempool_alloc_failed % 1000)
>             {
>                 _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");
>             }
>             times_mempool_alloc_failed++;
>
>
> This code is incorrect and does the opposite of what it intended to do...
>
> It logs the message 999 times out of 1000 instead of 1 time out of 1000.
>
> Obvious fix:
>             if (times_mempool_alloc_failed % 1000 == 0)
>
>
> Patch for this is attached.
>
> Configuration:
>         dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
>         preprocessor stream5_global: track_tcp yes, track_udp no
>         preprocessor stream5_tcp: policy first, ports client 20000
>         preprocessor stream5_udp: timeout 180
>
>         preprocessor dnp3: ports { 20000 } memcap 262144 check_crc
>         output alert_fast: stdout
>
> Running it without patch:
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir   
> /lib/daq/ -r /tmp/dnp3.cap
>
>        ...
>         Commencing packet processing (pid=14326)
>         07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
>         UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
>         Len: 4
>           
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>         WARNING: DNP3 memcap exceeded.
>         07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
>         UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
>         Len: 4
>           
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>         WARNING: DNP3 memcap exceeded.
>         07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
>         UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
>         Len: 4
>           
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>        ...
>
> => Warning not shown on the first packet
> => Warning shown on the second and third packet
>
>
> Running it with patch:
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir   
> /lib/daq/ -r /tmp/dnp3.cap
>
>         Commencing packet processing (pid=15964)
>         WARNING: DNP3 memcap exceeded.
>         07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
>         UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
>         Len: 4
>           
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>         07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
>         UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
>         Len: 4
>           
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>         07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
>         UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
>         Len: 4
>           
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> => Warning shown on the first packet
> => Warning not shown on the second and third packet
>
>
> (Note: the fact that this message is logged for the attached capture  
>  file is incorrect - see other mail)
>
>
> Best regards,
>
> Bram
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list