Snort mailing list archives
Re: Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit
From: Brett Edgar <brett.edgar () gmail com>
Date: Wed, 25 Jul 2012 10:17:07 -0500
Update: the *exact* ./configure command was: ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --enable-shared --disable-static --enable-sourcefire --disable-so-with-static-lib --enable-dynamicplugin --disable-control-socket --enable-ipv6 --enable-zlib --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-linux-smp-stats --disable-inline-init-failopen --enable-pthread --disable-debug --disable-debug-msgs --disable-corefiles --disable-gdb --enable-dlclose --enable-active-response --enable-normalizer --enable-reload --enable-reload-error-restart --enable-react --enable-flexresp3 --enable-paf --disable-large-pcap --disable-rzb-saac --disable-build-dynamic-examples --disable-profile --disable-ppm-test --disable-intel-soft-cpm --disable-static-daq --disable-rzb-saac Gentoo ebuilds make ./configure a little wordy. :) FYI, this is my own ebuild, not an official Gentoo one, not that that should matter. GCC version is 4.5.3. Also, I am a C programmer and I have done my homework: I have examined the code changes for http_inspect between 2.9.2.3 and 2.9.3, and nothing jumps out at me as being problematic... -Brett On Wed, Jul 25, 2012 at 10:11 AM, Brett Edgar <brett.edgar () gmail com> wrote:
After upgrading a handful of x64 IDS sensors from Snort 2.9.2.3 to Snort 2.9.3.0, I have noticed an enormous increase (almost 45 times higher) in GZIP decompression failures (sig 120:6) coming from the http_inspect preprocessor. The only other package that was updated with the move to Snort 2.9.3 was the Sourcefire DAQ library (from 0.6.2 to 1.1.1). Since the VRT did not recommend any snort.conf changes, my Snort configuration was not changed aside from moving to the 2.9.3.0 subscription rule set (from 2.9.2.3). The http_inspect configuration is identical to what I was using with 2.9.2.3. What's bothersome is that I do NOT see the same increase on some x86 (32-bit) sensors that were upgraded at the same time. I'm using Gentoo as my distro. My x86 and x64 versions are compiled identically and linked against the same packages. Snort was compiled with --enable-sourcefire --linux-smp-stats and --enable-reload-error-restart. It is linked with zlib 1.2.5, libpcap 1.1.1, libdnet 1.11, daq 1.1.1, and libpcre 8.30. Since I've only seen the 120:6 alert increase on 64-bit systems, I'm thinking there was some code change that may be using the wrong size integers? -Brett
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit Brett Edgar (Jul 25)
- Re: Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit Brett Edgar (Jul 25)
- Re: Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit Matt Watchinski (Jul 25)
- Re: Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit Brett Edgar (Jul 26)
- Re: Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit Matt Watchinski (Jul 25)
- Re: Enormous increase in GZIP Decompression failures with 2.9.3 vs 2.9.2.3 on 64-bit Brett Edgar (Jul 25)