Snort mailing list archives
File preprocessor: suspected bug found and solved
From: Pablo Cantos Polaino <pcantos () redborder org>
Date: Thu, 21 May 2015 16:11:54 +0200
Hello all, Some weeks ago I found a suspected bug related to the File preprocessor (follow the link: http://sourceforge.net/p/snort/mailman/message/33605425/): snort/src/dynamic-preprocessors/file/file_agent.c:601-614
/* * File type callback when file type is identified * * For file capture or file signature, FILE_VERDICT_PENDING must be returned */ static File_Verdict file_agent_type_callback(void* p, void* ssnptr, uint32_t file_type_id, bool upload, uint32_t file_id) { file_inspect_stats.file_types_total++; if (file_signature_enabled || file_capture_enabled) return FILE_VERDICT_UNKNOWN; else return FILE_VERDICT_LOG; } You can read on the description that FILE_VERDICT_PENDING must be returned when file capture OR file signature is enabled, but what really the code does is to return FILE_VERDICT_UNKNOWN when capture or signature are enabled.
This code is returning a FILE_VERDICT_UNKNOWN when signature or capture are enabled. The UNKNOWN verdict is not taken into account in the next code, as well as the PENDING verdict that the previous code refers to: snort/src/file-process/file_service.c:734-784
if (context->file_type_id != SNORT_FILE_TYPE_CONTINUE) { if (file_type_cb) { verdict = file_type_cb(p, ssnptr, context->file_type_id, context->upload, context->file_id); file_stats.verdicts_type[verdict]++; } context->file_type_enabled = false; file_stats.files_processed[context->file_type_id][context->upload]++; #ifdef TARGET_BASED file_stats.files_by_proto[context->app_id]++; #endif } if (verdict == FILE_VERDICT_LOG ) { file_eventq_add(GENERATOR_FILE_TYPE, context->file_type_id, file_type_name(context->file_config, context->file_type_id), RULE_TYPE__ALERT); context->file_signature_enabled = false; pkt->packet_flags |= PKT_FILE_EVENT_SET; } else if (verdict == FILE_VERDICT_BLOCK) { file_eventq_add(GENERATOR_FILE_TYPE, context->file_type_id, file_type_name(context->file_config, context->file_type_id), RULE_TYPE__DROP); updateFileSize(context, data_size, position); context->file_signature_enabled = false; add_file_to_block(p, verdict, context->file_type_id, NULL); return 1; } else if (verdict == FILE_VERDICT_REJECT) { file_eventq_add(GENERATOR_FILE_TYPE, context->file_type_id, file_type_name(context->file_config, context->file_type_id), RULE_TYPE__REJECT); updateFileSize(context, data_size, position); context->file_signature_enabled = false; add_file_to_block(p, verdict, context->file_type_id, NULL); return 1; } else if (verdict == FILE_VERDICT_STOP) { context->file_signature_enabled = false; } else if (verdict == FILE_VERDICT_STOP_CAPTURE) { file_capture_stop(context); }
After that, the signature calculation starts and sending an event due to the file type is never considered. I have found a workaround and have included a piece of code when signature calculation finishes in order to send an event in case the File type has been identified. I'm not sure if this is the behavior that the snort guys pretended to develop at this point, but I've considered it a good place to include the file type event. This can be useful for someone who, for instance, intends to capture files and be alerted when a file type shows up. You can find the patch following the link below: https://github.com/redBorder/snort/commit/2ef66122f7d5a317a9d7f5a4602f5bbbd01ab37c Best Regards, Pablo Cantos redborder.org / pcantos () redborder org
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- File preprocessor: suspected bug found and solved Pablo Cantos Polaino (May 21)
- Re: File preprocessor: suspected bug found and solved Hui Cao (huica) (May 22)
- Re: File preprocessor: suspected bug found and solved Pablo Cantos Polaino (May 25)
- Re: File preprocessor: suspected bug found and solved Hui Cao (huica) (May 22)