[Snort-devel] Snort 126.96.36.199 can't detect hits over fragmented packets using multiple policies
Ed Borgoyn (eborgoyn)
eborgoyn at ...3461...
Fri Jan 29 08:32:51 EST 2016
Thanks for the note. We will investigate.
Cisco Snort Development Team
On 1/25/16, 7:34 PM, "Jon Larson" <jon at ...3287...> wrote:
>Using netcat and fragroute I created a TCP stream that contains some
>content that triggers a rule hit. The content spans multiple TCP
>packets. If I run this with a simple configuration with one policy,
>snort properly detects the rule hit. However, when I run it with the
>config binding: policy1.conf vlan 100
>config binding: policy1.conf policy_id 1
>config binding: policy2.conf vlan 101
>config binding: policy2.conf policy_id 2
>I get no rule hit (the traffic is on vlan 100). The above has three
>policies: the default one and the above two. The policy1.conf file has
>the rule that should have been hit. I have lines in the default policy,
>policy1.conf and policy2.conf that load stream5_tcp like this:
>preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
>I don't know how it could work given the code in the
>spp_session.c:initializeSessionPreproc, that only does this once:
> AddFuncToPreprocList(sc, sessionPacketProcessor,
>PP_SESSION_PRIORITY, PP_SESSION, PROTO_BIT__ALL);
>because up above is the check:
> if (session_configuration == NULL).
>As such stream5 will only be enabled for the default configuration.
>Is this a known issue with 188.8.131.52 or perhaps I'm missing something? I
>tested this using snort 184.108.40.206 and it works fine.
>Site24x7 APM Insight: Get Deep Visibility into Application Performance
>APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>Monitor end-to-end web transactions and take corrective actions now
>Troubleshoot faster and improve end-user experience. Signup Now!
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>Please visit http://blog.snort.org for the latest news about Snort!
More information about the Snort-devel