Re: [Snort-users] 2.9.0.1 performance issue

[Eoin Miller <eoin.miller () trojanedbinaries com>]

On 11/18/2010 4:26 PM, L0rd Ch0de1m0rt wrote:
> Hello.  To be clear, there is no fix for the "http_inspect\stream
> reassembly" bug at the moment (if there is a fix in SVN, let me know
> so I can take action here b/c this is seriously a non-trivial bug for
> me).  Apparently it is an issue with Stream5 having premature buffer
> flushing issues.
>
> Government/Critical Infrastructure companies take note: this bug leads
> to easy IDS/IPS evasion and this issue, "predates Snort 2.9.0"
> according to Sourcefire.
>
> -L0rd C.
>
> On Thu, Nov 18, 2010 at 10:09 AM, matan monitz<mmonitz () gmail com>  wrote:
> > sounds related to the http_inspect\stream reassembly bugfix
The stream reassembly+http_inspect bug has been around for quite some 
time. The one that got fixed recently with http_inspect was the 
chunked+gzip bug that had also been around for quite some time. 
http_inspect would do either dechuning or gunzip'ing, but not both. So 
if a client downloaded gzip'd http that was chunked, http_inspect would 
dechunk it (but not gunzip it) before shoving it off to the rules engine 
for inspection. This got fixed in 2.9.0 though, so I wouldn't think that 
is the reason for the code change between 2.9.0 and 2.9.0.1.

-- Eoin

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel