Xplico.org
http://forum.xplico.org/

Bug in 0.7.1 Source ?
http://forum.xplico.org/viewtopic.php?f=4&t=498
Page 1 of 1

Author:  ipfrag [ Wed Feb 08, 2012 8:10 pm ]
Post subject:  Bug in 0.7.1 Source ?

This looks like a bug:
xplico-0.7.1\dispatch\cli\cli.c (line 2814)
Code:
        else if (ppei->prot_id == syslog_id) {
            syslog++;
            ret = DispSyslog(ppei);
        }

Should be...
Code:
        else if (ppei->prot_id == syslog_id) {
         if (ppei->ret == FALSE) {
            syslog++;
         }
            ret = DispSyslog(ppei);
        }

Author:  gianluca.costa [ Wed Feb 08, 2012 9:44 pm ]
Post subject:  Re: Bug in 0.7.1 Source ?

Hi
thanks. Yes, it is a bug.

Ciao.
Gianluca

Author:  ipfrag [ Mon Feb 13, 2012 4:08 pm ]
Post subject:  Re: Bug in 0.7.1 Source ?

I think I found another bug:
xplico-0.7.1\dispatch\lite\lite.c - line 4551, 4555

Bug: Using "XS_TELNET_DIR_PATH" in the DispSyslog function.

Code:
static int DispSyslog(pei *ppei)
{

   ...

    /* compose query and insert record */
    if (path) {
        /* new path */
        name = strrchr(path, '/');
        name++;
        sprintf(rep, XS_TELNET_DIR_PATH"/%s", pol, sess, name);
        rename(path, rep);
        DispFilePaths(pol, rep);
        /* flow info */
        sprintf(flow_info, XS_TELNET_DIR_PATH"/flow_%s.xml", pol, sess, name);
        DispFlowInfo(flow_info, ppei->stack);
        /* query */
        sprintf(query, XS_QUERY_SYSLOG_TEMPLATE, sess, pol, src_id, PEI_TIME(ppei->time_cap), flow_info,
                hosts, rep, (unsigned long)size);
        if (DispQuery(query, NULL) != 0) {
            printf("query: %s\n", query);
        }
    }

    return 0;
}

Author:  ipfrag [ Mon Feb 13, 2012 4:42 pm ]
Post subject:  Re: Bug in 0.7.1 Source ?

Also, is there a dissector for syslog in the "xplico-0.7.1\dissectors" directory?

Author:  gianluca.costa [ Mon Feb 13, 2012 8:09 pm ]
Post subject:  Re: Bug in 0.7.1 Source ?

Hi ipfrag,
yes, it is a bug but it is not so important, ie with our without the correct #define nothing changes (the xplico functionality it is ok in both the cases).

The syslog dissector will be released with the next version: 1.0.0.

Ciao.
Gianluca

Author:  ipfrag [ Thu Feb 16, 2012 4:29 pm ]
Post subject:  Re: Bug in 0.7.1 Source ?

Minor bug in "xplico-0.7.1\dissectors\telnet\telnet.c" - line 448

Code:
hdep.pktlim = TELNET_PKT_LIMIT;

should be...
Code:
TELNET_PKT_CHECK

Author:  gianluca.costa [ Thu Feb 16, 2012 9:03 pm ]
Post subject:  Re: Bug in 0.7.1 Source ?

Hi,
no, this is not a bug.
TELNET_PKT_LIMIT (ie hdep.pktlim) is the maximal number of packet on with which the module (telnet) can recognizes its protocol (ie telnet protocol). Beyond that, the Xplico's core does not give the opportunity to do (at the module) the analysis on the flow (single) not yet classified (recognized).
That parameter is used to not load the CPU unnecessarily.

TELNET_PKT_CHECK is the number of (real) telnet packet that classify a (not yet classified/recognized) flow as telnet protocol.

Ciao.
Gianluca

Author:  ipfrag [ Fri Feb 17, 2012 7:13 pm ]
Post subject:  Re: Bug in 0.7.1 Source ?

My mistake.

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/