Snort mailing list archives
2 questions about Stream5 handling of missing data
From: John Eure <john.eure () gmail com>
Date: Thu, 30 Jan 2014 19:51:39 -0800
Hello, I've been using snort to do some custom traffic inspection for a client, and have written a few plugins, including a preprocessor plugin that uses Stream5's Protocol Aware Flushing (PAF). I've been testing out the new release (2.9.6.0), and encountered a behavior that I hadn't seen before, and I'd like to find out whether it's a bug, or whether it's something I should be expecting. Normally, every time my preprocessor plugin sees a packet, the Packet struct has been zeroed out (up to the ip_options field) and then filled with new data, so I get a clean struct each time. In this release, Stream5 got some improvements in how it handles missing data. (Thank you, Sourcefire!) But when that new handling is triggered, I'm seeing packets that haven't been completely zeroed out. Specifically, it's the Stream5 rebuilt pseudo-packet that is generated after the gap in the data, which hasn't been zeroed out before the new data was added. I've been using a bit field (the preproc_reassembly_pkt_bits field) in the Packet struct to mark packets as having been accepted or rejected by my preprocessor, and so I was surprised to find that the bit field wasn't reset in between packets. Is this normal behavior that I should be expecting? Also, I've got a second, more general question, for Sourcefire. After Stream5 detects missing data on a stream, PAF gets "reset", and the flush policy gets set to STREAM_FLPOLICY_FOOTPRINT, and never goes back to STREAM_FLPOLICY_PROTOCOL again. So far, I've been able to work around this, but I'd much rather have a solid fix in place. So I was wondering, is this on your roadmap for future development? At the very least, now you know there's at least one person interested in that feature. :) Thanks, John Eure
------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- 2 questions about Stream5 handling of missing data John Eure (Jan 30)
- Re: 2 questions about Stream5 handling of missing data Russ Combs (Feb 03)
- Re: 2 questions about Stream5 handling of missing data John Eure (Feb 04)
- Re: 2 questions about Stream5 handling of missing data Russ Combs (rucombs) (Feb 07)
- Re: 2 questions about Stream5 handling of missing data Russ Combs (Feb 03)