Re: [Snort-inline-users] Freebsd and IPFW and IP header checksums

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Well, I've included patches I've generated so far.  The snort.h patch is
required to compile, decode.c is required for it to not drop every
packet, and inline.c adds a (commented out) ugly fix for the segfault,
and two debug statements demonstrating the problem.  All patches were
created outside the top-level snort_inline-2.2.0a directory.

A rule triggering a "reject" will segfault the program.  I have traced
it to inline.c, roughly line 398 (400 after my patch).  Printing the
value once returns the same value as printing it anywhere prior in the
execution chain.  Printing it again returns 0 and a segfault.  My C
skills aren't up to par I guess, because I'm stumped here.

[root@mobilebeast1 blackchr]# gdb /usr/local/bin/snort_inline
snort_inline.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `snort_inline'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/libpcre.so.0...done.
Loaded symbols for /usr/local/lib/libpcre.so.0
Reading symbols from /usr/lib/libpcap.so.3...done.
Loaded symbols for /usr/lib/libpcap.so.3
Reading symbols from /lib/libm.so.3...done.
Loaded symbols for /lib/libm.so.3
Reading symbols from /lib/libc.so.5...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x0806224d in HandlePacket () at inline.c:400
400         iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr;
(gdb)

Is there any more info I can provide?

On Thu, 2004-12-30 at 09:00, William Metcalf wrote:
> We always welcome patches, send me a diff I'll look it over and if
> everything is cool I'll include it in 2.3.0.
> 
> Regards,
> 
> Will
> Inactive hide details for Christopher Black
> <bla...@um...>Christopher Black <bla...@um...>
> 
> 
>                                 Christopher Black <bla...@um...>
>                                 Sent by: sno...@li...
>                                 
>                                 12/30/2004 07:53 AM
>                         
>                 
>         
> 
>                To
> 
> sno...@li...
> 
>                cc
> 
> 
>           Subject
> 
> Re:
> [Snort-inline-users] Freebsd and IPFW and IP header checksums
> 
> 
> Ahhh, what a way to join the list.  I am using snort_inline 2.2.0a,
> and
> the information below is still accurate.  However, I didn't realize
> the
> test.rules set was modifying both DNS and ICMP packets.  Commenting
> out
> those rules, snort_inline is working just as it should.
> 
> Would it be useful to produce diff patches for my changes for
> snort_inline 2.2.0a on FreeBSD 5.3?
> 
> On Thu, 2004-12-30 at 08:38, Christopher Black wrote:
> > Hello list,
> > 
> > I am using snort_inline on FreeBSD 5.3 with IPFW, and after fixing
> the
> > following (line 184 used to be in the ndef block) in snort.h:
> > 
> >     179 #ifndef IPFW
> >     180     char layer2_resets;
> >     181     u_char enet_src[6];
> >     182 #endif
> >     183 #ifdef IPFW
> >     184     char log_bad_checksums;
> >     185     int divert_port;
> >     186 #endif /* USE IPFW DIVERT socket instead of IPtables */
> > 
> > It will compile, but drops every packet.  I traced that back to
> checking
> > the IP header checksum, and based on the comment leading that block
> > (that the check is mostly unneeded), I just commented out the line
> to
> > call InlineDrop().  Now it's not dropping the packet there, but
> still
> > seems to be dropping it somewhere.
> > 
> > Has anyone else run into and/or fixed this?  I will continue
> hunting,
> > but look forward to your input!
> -- 
> Christopher Black <bla...@um...>
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
-- 
Christopher Black <bla...@um...>