Snort mailing list archives
Re: Snort 2.9.8.0 can't detect hits over fragmented packets using multiple policies
From: "Ed Borgoyn (eborgoyn)" <eborgoyn () cisco com>
Date: Fri, 29 Jan 2016 13:32:51 +0000
Jon, Thanks for the note. We will investigate. Ed Borgoyn Cisco Snort Development Team On 1/25/16, 7:34 PM, "Jon Larson" <jon () catbird com> wrote:
Using netcat and fragroute I created a TCP stream that contains some content that triggers a rule hit. The content spans multiple TCP packets. If I run this with a simple configuration with one policy, snort properly detects the rule hit. However, when I run it with the following: config binding: policy1.conf vlan 100 config binding: policy1.conf policy_id 1 config binding: policy2.conf vlan 101 config binding: policy2.conf policy_id 2 I get no rule hit (the traffic is on vlan 100). The above has three policies: the default one and the above two. The policy1.conf file has the rule that should have been hit. I have lines in the default policy, policy1.conf and policy2.conf that load stream5_tcp like this: preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, ... I don't know how it could work given the code in the spp_session.c:initializeSessionPreproc, that only does this once: AddFuncToPreprocList(sc, sessionPacketProcessor, PP_SESSION_PRIORITY, PP_SESSION, PROTO_BIT__ALL); because up above is the check: if (session_configuration == NULL). As such stream5 will only be enabled for the default configuration. Is this a known issue with 2.9.8.0 or perhaps I'm missing something? I tested this using snort 2.9.6.2 and it works fine. TIA, Jon L. -------------------------------------------------------------------------- ---- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 2.9.8.0 can't detect hits over fragmented packets using multiple policies Jon Larson (Jan 25)
- Re: Snort 2.9.8.0 can't detect hits over fragmented packets using multiple policies Ed Borgoyn (eborgoyn) (Jan 29)