Re: Snort v2.7.0 Now Available

[Todd Wease <twease () sourcefire com>]

Colin

The problem you have come across will only happen when GRE is enabled in
Snort with the --enable-gre option to configure and a Stream5
configuration is used.  Using a Stream4 configuration will not cause the
issue.  Please note that the GRE option is still experimental in Snort.

The issue is due to some code porting from Stream4 to Stream5 involving
the updating of a GRE packet counter.

A bug has been created, but for now, attached is a patch that should
remedy the problem for those that would like to continue using the
experimental GRE option with Stream5.

Thanks Colin for testing out the GRE option in Snort and finding and
posting this issue.

Thanks
Todd


Colin Grady wrote:
> I stuck with the default configuration provided in the snort.conf
> included in the 2.7.0 tar.gz:
>
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> # preprocessor stream5_udp: ignore_any_rules
>
> Thanks,
>
> Colin Grady
>
>
> On 7/20/07, Justin Heath <justin.heath () gmail com> wrote:
> > Can you add your stream5 conf? BTW, if you have icmp tracking on in
> > stream5 turn it off as this is still experimental.
> >
> > Cheers,
> > Justin
> >
> > On 7/20/07, Colin Grady <colin.grady () gmail com> wrote:
> > > I do not have a backtrace or pcap to provide, sorry.
> > >
> > > I used a compiled version using the following options:
> > >
> > > ./configure --prefix=/opt/snort --enable-pthread
> > > --enable-dynamicplugin --enable-gre
> > >
> > > This is on Ubuntu feisty (server).
> > >
> > > Command-line options are:
> > >
> > > /opt/snort/bin/snort -c /opt/snort/etc/snort_eth0.conf -K none
> > >
> > > Making only a change to the config to switch from stream5 (when it
> > > crashes after 1-2 minutes) to stream4 caused the Snort process to
> > > remain stable and not segfault. Because of the consistency of the
> > > segfault timeframe, I'm not sure it's related to the traffic crossing
> > > the monitored wire.
> > >
> > > Thanks,
> > >
> > > Colin Grady
> > >
> > >
> > > On 7/20/07, Justin Heath <justin.heath () gmail com> wrote:
> > > > On 7/20/07, Justin Heath <justin.heath () gmail com> wrote:
> > > > > Colin,
> > > > >
> > > > > Can you please provide some addtional detail? What OS, version etc?
> > > > > Are you using a binary from snort.org or did you compile from source?
> > > > > If you compiled from source what configure and build options did you
> > > > > use? Do you have a pcap or backtrace associated with this fault? If
> > > > > you have a backtrace and/or pcap and do not wish to post it to the
> > > > > list please send to bugs () snort org.
> > > > >
> > > > >
> > > > > Cheers,
> > > > > Justin
> > > > >
> > > > > On 7/20/07, Colin Grady <colin.grady () gmail com> wrote:
> > > > > > I'm seeing a segmentation fault occur after a couple minutes of
> > > > > > running in IDS mode -- doesn't seem to matter if it's in daemon mode
> > > > > > or not. Anyone else seeing this?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Colin Grady
Index: src/preprocessors/Stream5/snort_stream5_tcp.c
===================================================================
RCS file: /usr/cvsroot/sfeng/ims/sfsnort/snort/src/preprocessors/Stream5/snort_stream5_tcp.c,v
retrieving revision 1.42.2.63
diff -p -u -r1.42.2.63 snort_stream5_tcp.c
--- src/preprocessors/Stream5/snort_stream5_tcp.c       11 Jul 2007 15:35:54 -0000      1.42.2.63
+++ src/preprocessors/Stream5/snort_stream5_tcp.c       20 Jul 2007 22:03:16 -0000
@@ -2810,7 +2810,7 @@ void TcpSessionCleanup(Stream5LWSession 
             /* Hack so rebuilt/reinserted packet isn't counted toward GRE total
              * Right now, this only works if the delivery protocol is IP
              */
-            if (((IPHdr *)(tcpssn->client.seglist->pktOrig + ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE)
+            if (((IPHdr *)(tcpssn->server.seglist->pktOrig + ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE)
             {
                 pc.gre--;
             }

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users