[Snort-devel] Detection disabled by mistake in spp_stream4

From: Milani Paolo <Paolo.Milani(at)TILAB.COM>
Date: Thu Mar 04 2004 - 08:21:29 EST

hi,

in the current release of spp_stream4.c, line 1839:  p->packet_flags = PKT_STREAM_UNEST_UNI;

This effectively disables detection (by unsetting the PKT_DO_DETECT flag). This is obviously a bug. I am not submitting a patch because I do not know the stream reassembly code so well and am not sure what was intended at this point.

My guess is that changing it to
p->packet_flags |= PKT_STREAM_UNEST_UNI; is the fix, but i'm not really sure about whether it was intended to reset some of the stream flags.

If the intention is to disable detection for packets that have not had bi-directional cooperative traffic, then we should a) check config stateful
b) use the DisableDetect inline func, which also disables preprocessors.. otherwise we waste time doing preprocessing on packets we will not detect on (and then what happens with portscanning preprocessors? Those need to see unestablished unidirectional packets..)

hope this helps,
Paolo Milani

---

CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please contact us by replying to MailAdmin@tilab.com. Thank you

---

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&opick

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu Mar 4 08:26:35 2004