Re: BUG in stream4 reassemble

[Chris Green <cmg () sourcefire com>]

Peng Yong <ppyy () staff cn99 com> writes:

> we use snort Version 1.8.4 (Build 99) to log all the POP3 packets of
> our private network. and find there are some duplicate packet when
> we enable stream4_reassemble.


Thats the way S4 reassemble works currently.  Perhaps we should always
flush the stream the sawe way we do on alerts if the packet is logged.

Anyway the way it works is aggregating several packets together and
forming a psuedo packet and sending that psuedo packet through the
detection engine.

In snort 2.0, that will be changed to a real byte stream

> if we disable stream4_reassemble, it works ok.
>
> the duplicate packet has a feture. The ID of Ip header is always 0. here
> is a example:
>
> 04/01-16:54:22.995507 202.102.2.83:110 -> 192.168.0.99:2979
> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:174
>
> is this a BUG of stream4_reassemble?
>
>
> here is our snort.conf:
>
> preprocessor frag2
> preprocessor stream4: keepstats
> preprocessor stream4_reassemble: both, ports 110
> var MY_NET [192.168.0.0/24]
> log tcp any 110 <> $MY_NET any

If this had been an alert, I don;t think you would have seen
reassembled packets so its  a bug with log in conjunction with stream
reassembly.

Although, if you are going to log everything on those ports, why are
you reassembling them? :-)
-- 
Chris Green <cmg () sourcefire com>
A watched process never cores.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users