[Snort-devel] Snort 220.127.116.11 can't detect hits over fragmented packets using multiple policies
jon at ...3287...
Mon Jan 25 19:34:01 EST 2016
Using netcat and fragroute I created a TCP stream that contains some
content that triggers a rule hit. The content spans multiple TCP
packets. If I run this with a simple configuration with one policy,
snort properly detects the rule hit. However, when I run it with the
config binding: policy1.conf vlan 100
config binding: policy1.conf policy_id 1
config binding: policy2.conf vlan 101
config binding: policy2.conf policy_id 2
I get no rule hit (the traffic is on vlan 100). The above has three
policies: the default one and the above two. The policy1.conf file has
the rule that should have been hit. I have lines in the default policy,
policy1.conf and policy2.conf that load stream5_tcp like this:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
I don't know how it could work given the code in the
spp_session.c:initializeSessionPreproc, that only does this once:
PP_SESSION_PRIORITY, PP_SESSION, PROTO_BIT__ALL);
because up above is the check:
if (session_configuration == NULL).
As such stream5 will only be enabled for the default configuration.
Is this a known issue with 18.104.22.168 or perhaps I'm missing something? I
tested this using snort 22.214.171.124 and it works fine.
More information about the Snort-devel