[Snort-devel] [PATCH] dnp3 preprocesser: message "WARNING: DNP3 memcap exceeded" logged too often

Hui Cao hcao at ...402...
Wed Sep 18 16:57:59 EDT 2013


Hi Bram,

We have created a bug to track this issue.

Thanks,
Hui.

On Wed, Sep 18, 2013 at 3:33 PM, Bram <bram-fabeg at ...3414...> wrote:
> Was this message taken into consideration? (I received no reply)
>
>
>
> Quoting Bram <bram-fabeg at ...3414...>:
>
>> Hi,
>>
>> This message is related to the previous message: "dnp3 preprocesser:
>> incorrect message when track_udp is disabled".
>> The error was detected due to that bug.
>>
>> The dnp3 preprocesser logs the message "WARNING: DNP3 memcap exceeded"
>> too many times.
>>
>> dynamic-preprocessors/dnp3/spp_dnp3.c line 511-517 contains:
>>             /* Print a message, but only every 1000 times.
>>                Don't want to flood the log if there's a lot of DNP3
>> traffic. */
>>             if (times_mempool_alloc_failed % 1000)
>>             {
>>                 _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");
>>             }
>>             times_mempool_alloc_failed++;
>>
>>
>> This code is incorrect and does the opposite of what it intended to do...
>>
>> It logs the message 999 times out of 1000 instead of 1 time out of 1000.
>>
>> Obvious fix:
>>             if (times_mempool_alloc_failed % 1000 == 0)
>>
>>
>> Patch for this is attached.
>>
>> Configuration:
>>         dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
>>         preprocessor stream5_global: track_tcp yes, track_udp no
>>         preprocessor stream5_tcp: policy first, ports client 20000
>>         preprocessor stream5_udp: timeout 180
>>
>>         preprocessor dnp3: ports { 20000 } memcap 262144 check_crc
>>         output alert_fast: stdout
>>
>> Running it without patch:
>>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  /lib/daq/
>> -r /tmp/dnp3.cap
>>
>>        ...
>>         Commencing packet processing (pid=14326)
>>         07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
>>         UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
>>         Len: 4
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>         WARNING: DNP3 memcap exceeded.
>>         07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
>>         UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
>>         Len: 4
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>         WARNING: DNP3 memcap exceeded.
>>         07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
>>         UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
>>         Len: 4
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>        ...
>>
>> => Warning not shown on the first packet
>> => Warning shown on the second and third packet
>>
>>
>> Running it with patch:
>>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  /lib/daq/
>> -r /tmp/dnp3.cap
>>
>>         Commencing packet processing (pid=15964)
>>         WARNING: DNP3 memcap exceeded.
>>         07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
>>         UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
>>         Len: 4
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>         07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
>>         UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
>>         Len: 4
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>         07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
>>         UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
>>         Len: 4
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>> => Warning shown on the first packet
>> => Warning not shown on the second and third packet
>>
>>
>> (Note: the fact that this message is logged for the attached capture  file
>> is incorrect - see other mail)
>>
>>
>> Best regards,
>>
>> Bram
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>




More information about the Snort-devel mailing list