Skip Menu |

This queue is for tickets about the Net-LibNIDS CPAN distribution.

Report information
The Basics
Id: 51107
Status: resolved
Worked: 1 hour (60 min)
Priority: 0/
Queue: Net-LibNIDS
People
Owner: david [...] edeca.net
Requestors: david [...] edeca.net
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in:
  • 0.01
  • 0.02
  • 0.03
  • 0.04
Fixed in: 0.1

History Show all quoted text
  Wed Nov 04 10:57:04 2009 david [...] edeca.net - Ticket created
Subject: Fix parsing of multiple files
As discussed here: http://www.cpanforum.com/dist/Net-LibNIDS and also experienced by me, Net::LibNIDS does not handle multiple pcap files correctly. This is because libnids cleans up and removes its callback once run() is finished. Net::LibNIDS will only set a new callback if the local one is undefined, which means libnids runs with no callback set. The attached patch fixes this, by removing the check and always setting the local and libnids callbacks when Net::LibNIDS::tcp_callback() is called.
Subject: net-libnids-callback.patch
--- LibNIDS.xs-old 2009-11-04 15:50:41.049142523 +0000 +++ LibNIDS.xs 2009-11-04 15:50:23.239700506 +0000 @@ -291,11 +291,8 @@ tcp_callback(cb); SV* cb CODE: - if(!our_tcp_callback) { our_tcp_callback = SvRV(cb); nids_register_tcp(tcp_callback_f); - } - MODULE = Net::LibNIDS PACKAGE = Net::LibNIDS::param
  Thu Nov 05 06:32:20 2009 david [...] edeca.net - Correspondence added
On Wed Nov 04 10:57:04 2009, edeca wrote: Show quoted text
> The attached patch fixes this, by removing the check and always setting > the local and libnids callbacks when Net::LibNIDS::tcp_callback() is
called. Whilst this fixes the callback, there seems to be a bug in either libnids or Net::LibNIDS which causes it to segfault in add_new_tcp() with some combinations of files. I'll do some more digging and see if I can find what causes this. Any other testing would be appreciated.
  Thu Nov 05 06:32:24 2009 david [...] edeca.net - Status changed from 'new' to 'open'
  Thu Nov 05 07:37:34 2009 david [...] edeca.net - Correspondence added
On Thu Nov 05 06:32:20 2009, edeca wrote: Show quoted text
> On Wed Nov 04 10:57:04 2009, edeca wrote: > Whilst this fixes the callback, there seems to be a bug in either > libnids or Net::LibNIDS which causes it to segfault in add_new_tcp() > with some combinations of files.
OK, it seems to be a bug in libnids (tcp.c:307 in v1.23) when updating the timestamp of the "last packet". I assume it to be a problem if pcap files are fed out of date order but which contain related packets. If I come across anything to the contrary I will update this page. Testing it with an 800mb "in order" pcap seems to work fine. mergecap and editcap are your friends for ensuring in order traffic.
  Thu Nov 05 07:49:02 2009 david [...] edeca.net - Correspondence added
On Thu Nov 05 07:37:34 2009, edeca wrote: Show quoted text
> On Thu Nov 05 06:32:20 2009, edeca wrote:
> > On Wed Nov 04 10:57:04 2009, edeca wrote: > > Whilst this fixes the callback, there seems to be a bug in either > > libnids or Net::LibNIDS which causes it to segfault in add_new_tcp() > > with some combinations of files.
> > OK, it seems to be a bug in libnids (tcp.c:307 in v1.23) when updating > the timestamp of the "last packet". I assume it to be a problem if pcap > files are fed out of date order but which contain related packets.
Oops. This is a definite bug in libnids. I'll send a patch to the actual library owner. Two variables are not reset at the end of the first file, which means the TCP parsing code tries to update them when it sees the first packet in the second file.
  Sat Feb 06 08:17:08 2010 david [...] edeca.net - Correspondence added 60 min
On Thu Nov 05 07:49:02 2009, edeca wrote: Show quoted text
> Oops. This is a definite bug in libnids. I'll send a patch to the > actual library owner. Two variables are not reset at the end of the > first file, which means the TCP parsing code tries to update them when > it sees the first packet in the second file.
As previously discussed, this bug requires a simple modification to the libnids C library. I have sent this fix bundled as a new release to the maintainer of libnids. Unfortunately, it has not yet been published. I will modify this bug and Net::LibNIDS itself when the library is updated to fix the issue.
  Sat Feb 06 08:17:09 2010 david [...] edeca.net - Status changed from 'open' to 'stalled'
  Sat Feb 06 08:17:10 2010 david [...] edeca.net - Given to edeca
  Tue Jun 29 05:44:32 2010 david [...] edeca.net - Correspondence added
Fixed in Net::LibNIDS 0.1 as long as libnids v1.24 is used.
  Tue Jun 29 05:44:32 2010 The RT System itself - Status changed from 'stalled' to 'open'
  Tue Jun 29 05:44:33 2010 david [...] edeca.net - Status changed from 'open' to 'resolved'
  Tue Jun 29 05:44:46 2010 david [...] edeca.net - Broken in 0.02 added
  Tue Jun 29 05:44:46 2010 david [...] edeca.net - Broken in 0.03 added
  Tue Jun 29 05:44:46 2010 david [...] edeca.net - Broken in 0.04 added
  Tue Jun 29 05:44:46 2010 david [...] edeca.net - Fixed in 0.1 added