Snort mailing list archives
[PATCH] dnp3 preprocesser: message "WARNING: DNP3 memcap exceeded" logged too often
From: Bram <bram-fabeg () mail wizbit be>
Date: Thu, 18 Jul 2013 21:12:03 +0200
Hi,This message is related to the previous message: "dnp3 preprocesser: incorrect message when track_udp is disabled".
The error was detected due to that bug.The dnp3 preprocesser logs the message "WARNING: DNP3 memcap exceeded" too many times.
dynamic-preprocessors/dnp3/spp_dnp3.c line 511-517 contains:
/* Print a message, but only every 1000 times.
Don't want to flood the log if there's a lot of DNP3
traffic. */
if (times_mempool_alloc_failed % 1000)
{
_dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");
}
times_mempool_alloc_failed++;
This code is incorrect and does the opposite of what it intended to do...
It logs the message 999 times out of 1000 instead of 1 time out of 1000.
Obvious fix:
if (times_mempool_alloc_failed % 1000 == 0)
Patch for this is attached.
Configuration:
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
preprocessor stream5_global: track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, ports client 20000
preprocessor stream5_udp: timeout 180
preprocessor dnp3: ports { 20000 } memcap 262144 check_crc
output alert_fast: stdout
Running it without patch:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir
/lib/daq/ -r /tmp/dnp3.cap
...
Commencing packet processing (pid=14326)
07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
WARNING: DNP3 memcap exceeded.
07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
WARNING: DNP3 memcap exceeded.
07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
...
=> Warning not shown on the first packet
=> Warning shown on the second and third packet
Running it with patch:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir
/lib/daq/ -r /tmp/dnp3.cap
Commencing packet processing (pid=15964)
WARNING: DNP3 memcap exceeded.
07/20-14:07:30.865299 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14163 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
07/20-14:07:32.019776 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14164 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
07/20-14:07:33.211051 192.168.173.1:56323 -> 192.168.173.153:20000
UDP TTL:64 TOS:0x0 ID:14165 IpLen:20 DgmLen:32 DF
Len: 4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> Warning shown on the first packet => Warning not shown on the second and third packet(Note: the fact that this message is logged for the attached capture file is incorrect - see other mail)
Best regards, Bram ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Attachment:
dnp3.cap
Description:
Attachment:
dnp3_warning.patch
Description:
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH] dnp3 preprocesser: message "WARNING: DNP3 memcap exceeded" logged too often Bram (Jul 18)