[Snort-devel] Snort 2.9.8.0 can't detect hits over fragmented packets using multiple policies

Ed Borgoyn (eborgoyn) eborgoyn at ...3461...
Fri Jan 29 08:32:51 EST 2016


Jon,
  Thanks for the note.  We will investigate.
    Ed Borgoyn
    Cisco Snort Development Team



On 1/25/16, 7:34 PM, "Jon Larson" <jon at ...3287...> wrote:

>Using netcat and fragroute I created a TCP stream that contains some
>content that triggers a rule hit.  The content spans multiple TCP
>packets.  If I run this with a simple configuration with one policy,
>snort properly detects the rule hit.  However, when I run it with the
>following:
>
>config binding: policy1.conf vlan 100
>config binding: policy1.conf policy_id 1
>config binding: policy2.conf vlan 101
>config binding: policy2.conf policy_id 2
>
>I get no rule hit (the traffic is on vlan 100).  The above has three
>policies:  the default one and the above two.  The policy1.conf file has
>the rule that should have been hit.  I have lines in the default policy,
>policy1.conf and policy2.conf that load stream5_tcp like this:
>
>preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
>180, ...
>
>I don't know how it could work given the code in the
>spp_session.c:initializeSessionPreproc, that only does this once:
>
>         AddFuncToPreprocList(sc, sessionPacketProcessor,
>PP_SESSION_PRIORITY, PP_SESSION, PROTO_BIT__ALL);
>
>because up above is the check:
>     if (session_configuration == NULL).
>
>As such stream5 will only be enabled for the default configuration.
>
>Is this a known issue with 2.9.8.0 or perhaps I'm missing something?  I
>tested this using snort 2.9.6.2 and it works fine.
>
>TIA,
>Jon L.
>
>
>--------------------------------------------------------------------------
>----
>Site24x7 APM Insight: Get Deep Visibility into Application Performance
>APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>Monitor end-to-end web transactions and take corrective actions now
>Troubleshoot faster and improve end-user experience. Signup Now!
>http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>Archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
>Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list