Snort mailing list archives
Re: dnp3 preprocesser: incorrect message when track_udp is disabled
From: Hui Cao <hcao () sourcefire com>
Date: Thu, 18 Jul 2013 15:53:28 -0400
Hi Bram, Thanks for reporting this. I will bug this. Best, Hui. On Thu, Jul 18, 2013 at 3:10 PM, Bram <bram-fabeg () mail wizbit be> wrote:
Hi, When 'track_udp' is set to 'no' in the stream5_global config then it causes the message "WARNING: DNP3 memcap exceeded" to be logged. This message is unexpected since the memory usage did not exceed the memcap. Configuration: dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ preprocessor stream5_global: track_tcp yes, track_udp no preprocessor stream5_tcp: policy first, ports client 20000 preprocessor stream5_udp: timeout 180 preprocessor dnp3: ports { 20000 } memcap 262144 check_crc output alert_fast: stdout Running it: $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/dnp3.cap ... Commencing packet processing (pid=14326) 07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000 UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF Len: 4 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: DNP3 memcap exceeded. 07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000 UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF Len: 4 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ... dynamic-preprocessors/dnp3/spp_dnp3.c line 504-521 contains: /* Create session data and attach it to the Stream5 session */ tmp_bucket = DNP3CreateSessionData(packetp); if (tmp_bucket == NULL) { /* Mempool was full, don't process this session. */ static unsigned int times_mempool_alloc_failed = 0; /* Print a message, but only every 1000 times. Don't want to flood the log if there's a lot of DNP3 traffic. */ if (times_mempool_alloc_failed % 1000) { _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n"); } times_mempool_alloc_failed++; PREPROC_PROFILE_END(dnp3PerfStats); return; } dynamic-preprocessors/dnp3/spp_dnp3.c line 578-592 contains: static MemBucket * DNP3CreateSessionData(SFSnortPacket *packet) { MemBucket *tmp_bucket = NULL; dnp3_session_data_t *data = NULL; /* Sanity Check */ if (!packet || !packet->stream_session_ptr) return NULL; /* data = (dnp3_session_data_t *)calloc(1, sizeof(dnp3_session_data_t)); */ tmp_bucket = mempool_alloc(dnp3_mempool); if (!tmp_bucket) return NULL; Checking it with gdb shows: DNP3CreateSessionData (packet=3D0xbfffeff8) at spp_dnp3.c:580 580 in spp_dnp3.c (gdb) print packet $3 = (SFSnortPacket *) 0xbfffeff8 (gdb) print packet->stream_session_ptr $4 = (void *) 0x0 The 'stream_session_ptr' in packet is 0 -> the code returns NULL which causes tmp_bucket to become NULL which causes the message to be logged since it assumes this only happens when the memcap is full. My guess is that 'stream_session_ptr' is 0 because 'track_udp' is disabled but this wasn't investigated further. Best regards, Bram ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- dnp3 preprocesser: incorrect message when track_udp is disabled Bram (Jul 18)
- Re: dnp3 preprocesser: incorrect message when track_udp is disabled Hui Cao (Jul 18)