snort-devel February 2014 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] 2 questions about Stream5 handlin

Re: [Snort-devel] 2 questions about Stream5 handling of missing data

From: Russ Combs <rcombs_at_nospam>
Date: Mon Feb 03 2014 - 21:22:24 GMT
To: John Eure <john.eure@gmail.com>

John,

Thanks for the detailed query. Comments inline.

Russ

On Thu, Jan 30, 2014 at 10:51 PM, John Eure <john.eure@gmail.com> wrote:

> Hello,
>
> I've been using snort to do some custom traffic inspection for a client,
> and have written a few plugins, including a preprocessor plugin that uses
> Stream5's Protocol Aware Flushing (PAF). I've been testing out the new
> release (2.9.6.0), and encountered a behavior that I hadn't seen before,
> and I'd like to find out whether it's a bug, or whether it's something I
> should be expecting.
>
> Normally, every time my preprocessor plugin sees a packet, the Packet
> struct has been zeroed out (up to the ip_options field) and then filled
> with new data, so I get a clean struct each time. In this release, Stream5
> got some improvements in how it handles missing data. (Thank you,
> Sourcefire!) But when that new handling is triggered, I'm seeing packets
> that haven't been completely zeroed out. Specifically, it's the Stream5
> rebuilt pseudo-packet that is generated after the gap in the data, which
> hasn't been zeroed out before the new data was added.
>
> I've been using a bit field (the preproc_reassembly_pkt_bits field) in the
> Packet struct to mark packets as having been accepted or rejected by my
> preprocessor, and so I was surprised to find that the bit field wasn't
> reset in between packets. Is this normal behavior that I should be
> expecting?
>

That looks like a bug that should get fixed. Do you have a repro pcap and
conf?

>
>
> Also, I've got a second, more general question, for Sourcefire. After
> Stream5 detects missing data on a stream, PAF gets "reset", and the flush
> policy gets set to STREAM_FLPOLICY_FOOTPRINT, and never goes back to
> STREAM_FLPOLICY_PROTOCOL again. So far, I've been able to work around
> this, but I'd much rather have a solid fix in place. So I was wondering,
> is this on your roadmap for future development? At the very least, now you
> know there's at least one person interested in that feature. :)
>

This will be re-examined at some point. What is your workaround here?

Also, are you running passive? Are the gaps due to Snort drops or what?

The intent was to not chew through session data looking for a match after
initial failure for performance and to avoid the general confusion from
midstream data. Does your protocol have a unique way of synchronizing in
such cases?

> Thanks,
> John Eure
>
>
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends. Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!