[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: Re: [Snort-devel] SFSnortPacket: Problem when getting packet payload
From: Todd Wease <twease () sourcefire ! com>
Date: 2013-05-14 14:15:36
Message-ID: CANvttwEcWm8_UVp_ZkgMb7cNRwGv6mCrAWWfjhbefLV5xn-nAA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Hai,
Looks like the payload_size may be zero and payload pointer not NULL if
there isn't any payload after, say, the TCP header - if the payload_size if
0, you shouldn't be accessing the payload pointer. It may be that you're
running in passive or post-ack mode and getting both a stream5 reassembled
packet and the ACK (no payload) that caused the reassembly. You may want
to check for just reassembled packets. The SFSnortPacket header has a
flags member and with PAF enabled you can test for a full PDU:
PacketHasFullPDU(p) || p->flags & FLAG_REBUILT_STREAM // p is an
SFSnortPacket instance
If you're still having issues and you don't mind, can you send your code
(or at least the relevant part), a pcap and the packets you think should
have a payload_size > 0 when they get to your preprocessor (off list to me
if you prefer)?
Thanks,
Todd
On Tue, May 14, 2013 at 6:39 AM, Hai Minh Nguyen <lightsea90@gmail.com>wrote:
> Hi,
>
> I'm writing a dynamic preprocessor which examines all packet payload. I
> found that SFSnortPacket contained 2 members: payload (pointer) and
> payload_size. I used these 2 members to read packet payload. But when I
> tested with those packets of a HTTP stream (definitely payload existed), it
> shown that payload_size = 0 and payload != NULL. I thought if payload_size
> = 0 then payload = NULL :|
>
> My questions:
>
> 1. If payload_size = 0, there's no payload, just header and payload =
> NULL. Is this true? What about my case?
>
> 2. How to examine packet payload? (Is that my way right? How to fix? Any
> other solution?)
>
> --
> Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> một lần, nhưng chưa ai qua nổi quá tam chiêu!!!
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
[Attachment #5 (text/html)]
Hi Hai,<br><br>Looks like the payload_size may be zero and payload pointer not NULL \
if there isn't any payload after, say, the TCP header - if the payload_size if 0, \
you shouldn't be accessing the payload pointer. It may be that you're \
running in passive or post-ack mode and getting both a stream5 reassembled packet and \
the ACK (no payload) that caused the reassembly. You may want to check for just \
reassembled packets. The SFSnortPacket header has a flags member and with PAF \
enabled you can test for a full PDU:<br> <br>PacketHasFullPDU(p) || p->flags & \
FLAG_REBUILT_STREAM // p is an SFSnortPacket instance<br><br>If you're \
still having issues and you don't mind, can you send your code (or at least the \
relevant part), a pcap and the packets you think should have a payload_size > 0
when they get to your preprocessor (off list to me if you \
prefer)?<br><br>Thanks,<br>Todd<br><br><div class="gmail_quote">On Tue, May 14, 2013 \
at 6:39 AM, Hai Minh Nguyen <span dir="ltr"><<a href="mailto:lightsea90@gmail.com" \
target="_blank">lightsea90@gmail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi,<br><br></div>I'm \
writing a dynamic preprocessor which examines all packet payload. I found that \
SFSnortPacket contained 2 members: payload (pointer) and payload_size. I used these 2 \
members to read packet payload. But when I tested with those packets of a HTTP stream \
(definitely payload existed), it shown that payload_size = 0 and payload != NULL. I \
thought if payload_size = 0 then payload = NULL :|<br>
<br></div>My questions:<br><br></div>1. If payload_size = 0, there's no payload, \
just header and payload = NULL. Is this true? What about my case?<br><br></div>2. How \
to examine packet payload? (Is that my way right? How to fix? Any other \
solution?)<span class="HOEnZb"><font color="#888888"><br clear="all">
<div><div><div><div><div><div><div><br>-- <br>Kiếm ma độc cô cầu bại - Ôi, \
một đời oanh liệt, chỉ mong được chiến bại một lần, nhưng chưa \
ai qua nổi quá tam chiêu!!! \
</div></div></div></div></div></div></div></font></span></div> \
<br>------------------------------------------------------------------------------<br>
AlienVault Unified Security Management (USM) platform delivers complete<br>
security visibility with the essential security capabilities. Easily and<br>
efficiently configure, manage, and operate all of your security controls<br>
from a single console and one unified framework. Download a free trial.<br>
<a href="http://p.sf.net/sfu/alienvault_d2d" \
target="_blank">http://p.sf.net/sfu/alienvault_d2d</a><br>_______________________________________________<br>
Snort-devel mailing list<br>
<a href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-devel" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br> \
Archive:<br> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel" \
target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br>
<br>
Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about \
Snort!<br></blockquote></div><br>
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic