[Snort-devel] Snort can't detect hits over fragmented packets using multiple policies

Ed Borgoyn (eborgoyn) eborgoyn at ...3461...
Fri Jan 29 08:32:51 EST 2016

  Thanks for the note.  We will investigate.
    Ed Borgoyn
    Cisco Snort Development Team

On 1/25/16, 7:34 PM, "Jon Larson" <jon at ...3287...> wrote:

>Using netcat and fragroute I created a TCP stream that contains some
>content that triggers a rule hit.  The content spans multiple TCP
>packets.  If I run this with a simple configuration with one policy,
>snort properly detects the rule hit.  However, when I run it with the
>config binding: policy1.conf vlan 100
>config binding: policy1.conf policy_id 1
>config binding: policy2.conf vlan 101
>config binding: policy2.conf policy_id 2
>I get no rule hit (the traffic is on vlan 100).  The above has three
>policies:  the default one and the above two.  The policy1.conf file has
>the rule that should have been hit.  I have lines in the default policy,
>policy1.conf and policy2.conf that load stream5_tcp like this:
>preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
>180, ...
>I don't know how it could work given the code in the
>spp_session.c:initializeSessionPreproc, that only does this once:
>         AddFuncToPreprocList(sc, sessionPacketProcessor,
>because up above is the check:
>     if (session_configuration == NULL).
>As such stream5 will only be enabled for the default configuration.
>Is this a known issue with or perhaps I'm missing something?  I
>tested this using snort and it works fine.
>Jon L.
>Site24x7 APM Insight: Get Deep Visibility into Application Performance
>APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>Monitor end-to-end web transactions and take corrective actions now
>Troubleshoot faster and improve end-user experience. Signup Now!
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-devel mailing list