Snort mailing list archives
Re: ftp USER packet processed twice in SnortFTP
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 9 Sep 2013 09:07:39 -0400
If you can send a pcap and your related configuration we'll have a look. Thanks Russ On Thu, Sep 5, 2013 at 12:15 AM, Reinoud Koornstra <sockstat () hotmail com>wrote:
Hi Everyone, I am running into a weird case with the ftp/telnet preprocessor. I instrumented the code to make sure I am running a ftp connection through the preprocessor. In short, i'll exlain below, in case when the USER is specified in the ftp connection, the packet is being processed twice by the preprocessor. So in detect.c in Preprocess the preprocessors do process the packet. So during the linked list we'll enter FTPTelnetChecks. spp_ftptelnet.c, FTPTelnetChecks, calling SnortFTPTelnet snort_ftptelnet.c, SnortFTPTelnet, calling SnortFTP In case of the USER ftp command we see this: snort_ftptelnet.c, SnortFTP, Client packet: rebuilt yes: USER blabla snort_ftptelnet.c, SnortFTP, calling initialize_ftp snort_ftptelnet.c, SnortFTP, calling check_ftp snort_ftptelnet.c, SnortFTP, calling do_detection which calls DynamicDetect snort_ftptelnet.c, do_detection, calling DynamicDetect sf_dynamic_plugins.c, DynamicDetect, calling Detect, Packet ID is 39515 Now the weird thing ..... only in case of the USER statement in the packet is being processed by the preprocessor yet another time .... I have no clue as to why. When once processed in do_detection, the preprocessor flags is set to ALL_OFF. After this is done we return to DynamicDetect which returns to SnortFTP..... But we return to initialize_ftp....... in case of the USER statement. I do not understand or see why, but it happens, I verified it 100 times over. I did some instrumentation to verify whether what i saw was real by checking the if the IP ID is the same as the packet processed before, and in the case of the USER statement it is. In SnortFTP we see this: if (iInspectMode == FTPP_SI_SERVER_MODE) { /* Force flush of client side of stream */ bla bla bla bla then there is an else statement and after the initialize_ftp function is called and it's exactly here where we return after the first time inspection in case of the USER statement. I am baffled, as nothing in the code tells me why we return here, i can find nothing that tells me where we're returning there. It looks like a bug to me. I compiled with -O0 to rule out it was the optimization but that didn't help. Running it thought gdb ... and the packet is not processed twice. Does anybody have a clue why i am seeing what i am seeing? Also, because of this i do propose some checking code in do_detection: void do_detection(void *p) { //extern int do_detect; //extern OptTreeNode *otn_tmp; Packet *checkPacket; checkPacket = (Packet *)p; if (checkPacket->preprocessor_bits == PP_ALL_OFF) // This is set by _dpd.disableAllDetect(p) { return; } now we'll need to cast p to SFSnortPacket to continue the function. Thanks, Reinoud. ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ftp USER packet processed twice in SnortFTP Reinoud Koornstra (Sep 04)
- Re: ftp USER packet processed twice in SnortFTP Russ Combs (Sep 09)