Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort vs. gcc 4.1.0

From: Allen McIntosh <mcintosh () research telcordia com>
Date: Tue, 04 Apr 2006 13:00:02 -0400
Snort and gcc 4.1.0 don't get along.
Background: I got started on this because I couldn't get snort as it came with Fedora Core 5 to work. I had a really simple example: a single TCP packet (containing lots of zeros) and a simple rule that detected TCP packet containing a zero.
To make a long story short, here's the problem. First, modify decode.c (line numbers for 2.4.4, but the code is unchanged in 2.4.6 beta) to provide better diagnostics: 

*** decode.c.ori        Fri Sep 16 17:06:35 2005
--- decode.c    Tue Apr  4 11:32:15 2006
***************
*** 2535,2546 ****
* checksum, but it's not bad to keep around for shits and giggles */ 
          /* calculate the checksum */
csum = in_chksum_tcp((u_int16_t *)&ph, (u_int16_t *)(p->tcph), len); 

          if(csum)
          {
              p->csum_flags |= CSE_TCP;
!             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n",
!                                     "0x%x versus 0x%x\n", csum,
                                      ntohs(p->tcph->th_sum)););
              if(InlineMode())
              {
--- 2535,2548 ----
* checksum, but it's not bad to keep around for shits and giggles */ 
          /* calculate the checksum */
csum = in_chksum_tcp((u_int16_t *)&ph, (u_int16_t *)(p->tcph), len); 
+             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
+                       "TCP in_cksum_tcp is 0x%x\n", csum););

          if(csum)
          {
              p->csum_flags |= CSE_TCP;
!             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
!                               "Bad TCP checksum 0x%x versus 0x%x\n", csum,
                                      ntohs(p->tcph->th_sum)););
              if(InlineMode())
              {
Then compile with gcc 4.1 as it comes with Fedora Core 5 and -O1 (DEBUG on). Run with SNORT_DEBUG=64 (i.e. DEBUG_DECODE turned on) over a file containing roughly 22K TCP packets: 

        snort xxxxxxx | grep in_cksum_tcp | sort | uniq -c

Output:
21934 decode.c:2539: TCP in_cksum_tcp is 0x0

Then compile (FC5 again) with gcc 4.1 and -O2.  Run with DEBUG_DECODE.
Output:

    873 decode.c:2539: TCP in_cksum_tcp is 0x0
  10110 decode.c:2539: TCP in_cksum_tcp is 0x5900
      3 decode.c:2539: TCP in_cksum_tcp is 0x5d14
      6 decode.c:2539: TCP in_cksum_tcp is 0x6100
     38 decode.c:2539: TCP in_cksum_tcp is 0x6314
    107 decode.c:2539: TCP in_cksum_tcp is 0x6514
      8 decode.c:2539: TCP in_cksum_tcp is 0x65ff
      1 decode.c:2539: TCP in_cksum_tcp is 0x7378
     10 decode.c:2539: TCP in_cksum_tcp is 0x800
     23 decode.c:2539: TCP in_cksum_tcp is 0x822d
      6 decode.c:2539: TCP in_cksum_tcp is 0x9eff
      6 decode.c:2539: TCP in_cksum_tcp is 0xa557
  10231 decode.c:2539: TCP in_cksum_tcp is 0xa6ff
     17 decode.c:2539: TCP in_cksum_tcp is 0xbc14
    477 decode.c:2539: TCP in_cksum_tcp is 0xbe14
     10 decode.c:2539: TCP in_cksum_tcp is 0xdb2d
      8 decode.c:2539: TCP in_cksum_tcp is 0xf7ff
Each case where csum is non-zero produces a "Bad TCP checksum" message. The "Bad TCP checksum" messages look like this (there are lots of them, and few counts greater than one): 

      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x10
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1000
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1002
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1004
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1006
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1008
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x101
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1011
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1022
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1024
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x102f
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1031
      3 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1035
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1036
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1038
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1039
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x103a
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x104
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x104f
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1053
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x105f
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1063
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1064
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1067
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1068
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x106c
When decode.c is compiled with gcc 3.2 (from FC5) and -O2, results are the same as for gcc 4.1.0 with -O1.
I didn't investigate 2.4.6 beta thoroughly, but the code is unchanged, and the -O2 compiled decode.c doesn't work. 




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: