[Snort-users] Snort vs. gcc 4.1.0

Snort and gcc 4.1.0 don't get along.

Background:  I got started on this because I couldn't get snort as it 
came with Fedora Core 5 to work.  I had a really simple example:  a 
single TCP packet (containing lots of zeros) and a simple rule that 
detected TCP packet containing a zero.

To make a long story short, here's the problem.  First, modify decode.c 
(line numbers for 2.4.4, but the code is unchanged in 2.4.6 beta) to 
provide better diagnostics:

*** decode.c.ori        Fri Sep 16 17:06:35 2005
--- decode.c    Tue Apr  4 11:32:15 2006
***************
*** 2535,2546 ****
           * checksum, but it's not bad to keep around for shits and 
giggles */
          /* calculate the checksum */
          csum = in_chksum_tcp((u_int16_t *)&ph, (u_int16_t 
*)(p->tcph), len);

          if(csum)
          {
              p->csum_flags |= CSE_TCP;
!             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n",
!                                     "0x%x versus 0x%x\n", csum,
                                      ntohs(p->tcph->th_sum)););
              if(InlineMode())
              {
--- 2535,2548 ----
           * checksum, but it's not bad to keep around for shits and 
giggles */
          /* calculate the checksum */
          csum = in_chksum_tcp((u_int16_t *)&ph, (u_int16_t 
*)(p->tcph), len);
+             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
+                       "TCP in_cksum_tcp is 0x%x\n", csum););

          if(csum)
          {
              p->csum_flags |= CSE_TCP;
!             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
!                               "Bad TCP checksum 0x%x versus 0x%x\n", csum,
                                      ntohs(p->tcph->th_sum)););
              if(InlineMode())
              {


Then compile with gcc 4.1 as it comes with Fedora Core 5 and -O1 (DEBUG 
on).  Run with SNORT_DEBUG=64 (i.e. DEBUG_DECODE turned on) over a file 
containing roughly 22K TCP packets:

        snort xxxxxxx | grep in_cksum_tcp | sort | uniq -c

Output:
21934 decode.c:2539: TCP in_cksum_tcp is 0x0

Then compile (FC5 again) with gcc 4.1 and -O2.  Run with DEBUG_DECODE.
Output:

    873 decode.c:2539: TCP in_cksum_tcp is 0x0
  10110 decode.c:2539: TCP in_cksum_tcp is 0x5900
      3 decode.c:2539: TCP in_cksum_tcp is 0x5d14
      6 decode.c:2539: TCP in_cksum_tcp is 0x6100
     38 decode.c:2539: TCP in_cksum_tcp is 0x6314
    107 decode.c:2539: TCP in_cksum_tcp is 0x6514
      8 decode.c:2539: TCP in_cksum_tcp is 0x65ff
      1 decode.c:2539: TCP in_cksum_tcp is 0x7378
     10 decode.c:2539: TCP in_cksum_tcp is 0x800
     23 decode.c:2539: TCP in_cksum_tcp is 0x822d
      6 decode.c:2539: TCP in_cksum_tcp is 0x9eff
      6 decode.c:2539: TCP in_cksum_tcp is 0xa557
  10231 decode.c:2539: TCP in_cksum_tcp is 0xa6ff
     17 decode.c:2539: TCP in_cksum_tcp is 0xbc14
    477 decode.c:2539: TCP in_cksum_tcp is 0xbe14
     10 decode.c:2539: TCP in_cksum_tcp is 0xdb2d
      8 decode.c:2539: TCP in_cksum_tcp is 0xf7ff

Each case where csum is non-zero produces a "Bad TCP checksum" message. 
 The "Bad TCP checksum" messages look like this (there are lots of 
them, and few counts greater than one):

      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x10
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1000
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1002
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1004
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1006
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1008
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x101
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1011
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1022
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1024
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x102f
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1031
      3 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1035
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1036
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1038
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1039
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x103a
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x104
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x104f
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1053
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x105f
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1063
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1064
      2 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1067
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x1068
      1 decode.c:2546: Bad TCP checksum 0x5900 versus 0x106c

When decode.c is compiled with gcc 3.2 (from FC5) and -O2, results are 
the same as for gcc 4.1.0 with -O1.

I didn't investigate 2.4.6 beta thoroughly, but the code is unchanged, 
and the -O2 compiled decode.c doesn't work.




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users