Snort mailing list archives
Snort vs. gcc 4.1.0
From: Allen McIntosh <mcintosh () research telcordia com>
Date: Tue, 04 Apr 2006 13:00:02 -0400
Snort and gcc 4.1.0 don't get along.Background: I got started on this because I couldn't get snort as it came with Fedora Core 5 to work. I had a really simple example: a single TCP packet (containing lots of zeros) and a simple rule that detected TCP packet containing a zero.
To make a long story short, here's the problem. First, modify decode.c (line numbers for 2.4.4, but the code is unchanged in 2.4.6 beta) to provide better diagnostics:
*** decode.c.ori Fri Sep 16 17:06:35 2005 --- decode.c Tue Apr 4 11:32:15 2006 *************** *** 2535,2546 ***** checksum, but it's not bad to keep around for shits and giggles */
/* calculate the checksum */csum = in_chksum_tcp((u_int16_t *)&ph, (u_int16_t *)(p->tcph), len);
if(csum) { p->csum_flags |= CSE_TCP; ! DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n", ! "0x%x versus 0x%x\n", csum, ntohs(p->tcph->th_sum));); if(InlineMode()) { --- 2535,2548 ----* checksum, but it's not bad to keep around for shits and giggles */
/* calculate the checksum */csum = in_chksum_tcp((u_int16_t *)&ph, (u_int16_t *)(p->tcph), len);
+ DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "TCP in_cksum_tcp is 0x%x\n", csum);); if(csum) { p->csum_flags |= CSE_TCP; ! DEBUG_WRAP(DebugMessage(DEBUG_DECODE, ! "Bad TCP checksum 0x%x versus 0x%x\n", csum, ntohs(p->tcph->th_sum));); if(InlineMode()) {Then compile with gcc 4.1 as it comes with Fedora Core 5 and -O1 (DEBUG on). Run with SNORT_DEBUG=64 (i.e. DEBUG_DECODE turned on) over a file containing roughly 22K TCP packets:
snort xxxxxxx | grep in_cksum_tcp | sort | uniq -c Output: 21934 decode.c:2539: TCP in_cksum_tcp is 0x0 Then compile (FC5 again) with gcc 4.1 and -O2. Run with DEBUG_DECODE. Output: 873 decode.c:2539: TCP in_cksum_tcp is 0x0 10110 decode.c:2539: TCP in_cksum_tcp is 0x5900 3 decode.c:2539: TCP in_cksum_tcp is 0x5d14 6 decode.c:2539: TCP in_cksum_tcp is 0x6100 38 decode.c:2539: TCP in_cksum_tcp is 0x6314 107 decode.c:2539: TCP in_cksum_tcp is 0x6514 8 decode.c:2539: TCP in_cksum_tcp is 0x65ff 1 decode.c:2539: TCP in_cksum_tcp is 0x7378 10 decode.c:2539: TCP in_cksum_tcp is 0x800 23 decode.c:2539: TCP in_cksum_tcp is 0x822d 6 decode.c:2539: TCP in_cksum_tcp is 0x9eff 6 decode.c:2539: TCP in_cksum_tcp is 0xa557 10231 decode.c:2539: TCP in_cksum_tcp is 0xa6ff 17 decode.c:2539: TCP in_cksum_tcp is 0xbc14 477 decode.c:2539: TCP in_cksum_tcp is 0xbe14 10 decode.c:2539: TCP in_cksum_tcp is 0xdb2d 8 decode.c:2539: TCP in_cksum_tcp is 0xf7ffEach case where csum is non-zero produces a "Bad TCP checksum" message. The "Bad TCP checksum" messages look like this (there are lots of them, and few counts greater than one):
1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x10 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1000 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1002 2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1004 2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1006 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1008 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x101 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1011 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1022 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1024 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x102f 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1031 3 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1035 2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1036 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1038 2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1039 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x103a 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x104 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x104f 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1053 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x105f 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1063 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1064 2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1067 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1068 1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x106cWhen decode.c is compiled with gcc 3.2 (from FC5) and -O2, results are the same as for gcc 4.1.0 with -O1.
I didn't investigate 2.4.6 beta thoroughly, but the code is unchanged, and the -O2 compiled decode.c doesn't work.
------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort vs. gcc 4.1.0 Allen McIntosh (Apr 04)
- Re: Snort vs. gcc 4.1.0 Allen McIntosh (Apr 04)