[Snort-devel] Snort can't detect hits over fragmented packets using multiple policies

Jon Larson jon at ...3287...
Mon Jan 25 19:34:01 EST 2016

Using netcat and fragroute I created a TCP stream that contains some 
content that triggers a rule hit.  The content spans multiple TCP 
packets.  If I run this with a simple configuration with one policy, 
snort properly detects the rule hit.  However, when I run it with the 

config binding: policy1.conf vlan 100
config binding: policy1.conf policy_id 1
config binding: policy2.conf vlan 101
config binding: policy2.conf policy_id 2

I get no rule hit (the traffic is on vlan 100).  The above has three 
policies:  the default one and the above two.  The policy1.conf file has 
the rule that should have been hit.  I have lines in the default policy, 
policy1.conf and policy2.conf that load stream5_tcp like this:

preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 
180, ...

I don't know how it could work given the code in the 
spp_session.c:initializeSessionPreproc, that only does this once:

         AddFuncToPreprocList(sc, sessionPacketProcessor, 

because up above is the check:
     if (session_configuration == NULL).

As such stream5 will only be enabled for the default configuration.

Is this a known issue with or perhaps I'm missing something?  I 
tested this using snort and it works fine.

Jon L.

More information about the Snort-devel mailing list