Snort mailing list archives
Re: dnp3 preprocesser: incorrect message when track_udp is disabled
From: Hui Cao <hcao () sourcefire com>
Date: Thu, 18 Jul 2013 15:53:28 -0400
Hi Bram, Thanks for reporting this. I will bug this. Best, Hui. On Thu, Jul 18, 2013 at 3:10 PM, Bram <bram-fabeg () mail wizbit be> wrote:
Hi,
When 'track_udp' is set to 'no' in the stream5_global config then it causes
the message "WARNING: DNP3 memcap exceeded" to be logged.
This message is unexpected since the memory usage did not exceed the memcap.
Configuration:
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
preprocessor stream5_global: track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, ports client 20000
preprocessor stream5_udp: timeout 180
preprocessor dnp3: ports { 20000 } memcap 262144 check_crc
output alert_fast: stdout
Running it:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r
/tmp/dnp3.cap
...
Commencing packet processing (pid=14326)
07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
WARNING: DNP3 memcap exceeded.
07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
...
dynamic-preprocessors/dnp3/spp_dnp3.c line 504-521 contains:
/* Create session data and attach it to the Stream5 session */
tmp_bucket = DNP3CreateSessionData(packetp);
if (tmp_bucket == NULL)
{
/* Mempool was full, don't process this session. */
static unsigned int times_mempool_alloc_failed = 0;
/* Print a message, but only every 1000 times.
Don't want to flood the log if there's a lot of DNP3 traffic.
*/
if (times_mempool_alloc_failed % 1000)
{
_dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");
}
times_mempool_alloc_failed++;
PREPROC_PROFILE_END(dnp3PerfStats);
return;
}
dynamic-preprocessors/dnp3/spp_dnp3.c line 578-592 contains:
static MemBucket * DNP3CreateSessionData(SFSnortPacket *packet)
{
MemBucket *tmp_bucket = NULL;
dnp3_session_data_t *data = NULL;
/* Sanity Check */
if (!packet || !packet->stream_session_ptr)
return NULL;
/* data = (dnp3_session_data_t *)calloc(1,
sizeof(dnp3_session_data_t)); */
tmp_bucket = mempool_alloc(dnp3_mempool);
if (!tmp_bucket)
return NULL;
Checking it with gdb shows:
DNP3CreateSessionData (packet=3D0xbfffeff8) at spp_dnp3.c:580
580 in spp_dnp3.c
(gdb) print packet
$3 = (SFSnortPacket *) 0xbfffeff8
(gdb) print packet->stream_session_ptr
$4 = (void *) 0x0
The 'stream_session_ptr' in packet is 0 -> the code returns NULL which
causes tmp_bucket to become NULL which causes the message to be logged since
it assumes this only happens when the memcap is full.
My guess is that 'stream_session_ptr' is 0 because 'track_udp' is disabled
but this wasn't investigated further.
Best regards,
Bram
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- dnp3 preprocesser: incorrect message when track_udp is disabled Bram (Jul 18)
- Re: dnp3 preprocesser: incorrect message when track_udp is disabled Hui Cao (Jul 18)