Snort mailing list archives
Re: SFSnortPacket: Problem when getting packet payload
From: Todd Wease <twease () sourcefire com>
Date: Tue, 14 May 2013 10:15:36 -0400
Hi Hai, Looks like the payload_size may be zero and payload pointer not NULL if there isn't any payload after, say, the TCP header - if the payload_size if 0, you shouldn't be accessing the payload pointer. It may be that you're running in passive or post-ack mode and getting both a stream5 reassembled packet and the ACK (no payload) that caused the reassembly. You may want to check for just reassembled packets. The SFSnortPacket header has a flags member and with PAF enabled you can test for a full PDU: PacketHasFullPDU(p) || p->flags & FLAG_REBUILT_STREAM // p is an SFSnortPacket instance If you're still having issues and you don't mind, can you send your code (or at least the relevant part), a pcap and the packets you think should have a payload_size > 0 when they get to your preprocessor (off list to me if you prefer)? Thanks, Todd On Tue, May 14, 2013 at 6:39 AM, Hai Minh Nguyen <lightsea90 () gmail com>wrote:
Hi, I'm writing a dynamic preprocessor which examines all packet payload. I found that SFSnortPacket contained 2 members: payload (pointer) and payload_size. I used these 2 members to read packet payload. But when I tested with those packets of a HTTP stream (definitely payload existed), it shown that payload_size = 0 and payload != NULL. I thought if payload_size = 0 then payload = NULL :| My questions: 1. If payload_size = 0, there's no payload, just header and payload = NULL. Is this true? What about my case? 2. How to examine packet payload? (Is that my way right? How to fix? Any other solution?) -- Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại một lần, nhưng chưa ai qua nổi quá tam chiêu!!! ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SFSnortPacket: Problem when getting packet payload Hai Minh Nguyen (May 14)
- Re: SFSnortPacket: Problem when getting packet payload Todd Wease (May 14)