[Snort-devel] Snort 2.9.8.0 can't detect hits over fragmented packets using multiple policies

Jon Larson jon at ...3287...
Fri Jan 29 16:42:37 EST 2016


I was able to get it working by moving the following lines:

AddFuncToConfigCheckList(sc, verifySessionConfig);
#ifdef ENABLE_HA
     AddFuncToPostConfigList(sc, SessionHAPostConfigInit, NULL);
#endif
enablePreprocAllPorts( sc, PP_SESSION, PROTO_BIT__ALL );
AddFuncToPreprocList(sc, sessionPacketProcessor, PP_SESSION_PRIORITY, PP_SESSION, PROTO_BIT__ALL);


to be outside the block:

     if (session_configuration == NULL)
     {
         ....
     }



On 1/29/16 5:32 AM, Ed Borgoyn (eborgoyn) wrote:
> Jon,
>    Thanks for the note.  We will investigate.
>      Ed Borgoyn
>      Cisco Snort Development Team
>
>
>
> On 1/25/16, 7:34 PM, "Jon Larson" <jon at ...3287...> wrote:
>
>> Using netcat and fragroute I created a TCP stream that contains some
>> content that triggers a rule hit.  The content spans multiple TCP
>> packets.  If I run this with a simple configuration with one policy,
>> snort properly detects the rule hit.  However, when I run it with the
>> following:
>>
>> config binding: policy1.conf vlan 100
>> config binding: policy1.conf policy_id 1
>> config binding: policy2.conf vlan 101
>> config binding: policy2.conf policy_id 2
>>
>> I get no rule hit (the traffic is on vlan 100).  The above has three
>> policies:  the default one and the above two.  The policy1.conf file has
>> the rule that should have been hit.  I have lines in the default policy,
>> policy1.conf and policy2.conf that load stream5_tcp like this:
>>
>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
>> 180, ...
>>
>> I don't know how it could work given the code in the
>> spp_session.c:initializeSessionPreproc, that only does this once:
>>
>>          AddFuncToPreprocList(sc, sessionPacketProcessor,
>> PP_SESSION_PRIORITY, PP_SESSION, PROTO_BIT__ALL);
>>
>> because up above is the check:
>>      if (session_configuration == NULL).
>>
>> As such stream5 will only be enabled for the default configuration.
>>
>> Is this a known issue with 2.9.8.0 or perhaps I'm missing something?  I
>> tested this using snort 2.9.6.2 and it works fine.
>>
>> TIA,
>> Jon L.
>>
>>
>> --------------------------------------------------------------------------
>> ----
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list