Snort mailing list archives
Re: [PATCH] dnp3 preprocesser: message "WARNING: DNP3 memcap exceeded" logged too often
From: Bram <bram-fabeg () mail wizbit be>
Date: Wed, 18 Sep 2013 21:33:41 +0200
Was this message taken into consideration? (I received no reply) Quoting Bram <bram-fabeg () mail wizbit be>:
Hi,
This message is related to the previous message: "dnp3 preprocesser:
incorrect message when track_udp is disabled".
The error was detected due to that bug.
The dnp3 preprocesser logs the message "WARNING: DNP3 memcap
exceeded" too many times.
dynamic-preprocessors/dnp3/spp_dnp3.c line 511-517 contains:
/* Print a message, but only every 1000 times.
Don't want to flood the log if there's a lot of DNP3
traffic. */
if (times_mempool_alloc_failed % 1000)
{
_dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");
}
times_mempool_alloc_failed++;
This code is incorrect and does the opposite of what it intended to do...
It logs the message 999 times out of 1000 instead of 1 time out of 1000.
Obvious fix:
if (times_mempool_alloc_failed % 1000 == 0)
Patch for this is attached.
Configuration:
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
preprocessor stream5_global: track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, ports client 20000
preprocessor stream5_udp: timeout 180
preprocessor dnp3: ports { 20000 } memcap 262144 check_crc
output alert_fast: stdout
Running it without patch:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir
/lib/daq/ -r /tmp/dnp3.cap
...
Commencing packet processing (pid=14326)
07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
WARNING: DNP3 memcap exceeded.
07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
WARNING: DNP3 memcap exceeded.
07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
...
=> Warning not shown on the first packet
=> Warning shown on the second and third packet
Running it with patch:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir
/lib/daq/ -r /tmp/dnp3.cap
Commencing packet processing (pid=15964)
WARNING: DNP3 memcap exceeded.
07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> Warning shown on the first packet
=> Warning not shown on the second and third packet
(Note: the fact that this message is logged for the attached capture
file is incorrect - see other mail)
Best regards,
Bram
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH] dnp3 preprocesser: message "WARNING: DNP3 memcap exceeded" logged too often Bram (Jul 18)
- Re: [PATCH] dnp3 preprocesser: message "WARNING: DNP3 memcap exceeded" logged too often Bram (Sep 18)