Comments (9)
Matt, what version fo the JOY software are you using? Also do you have a dump of the segfault?
from joy.
I am using version 3.0.0. When I did a backtrace it showed it was faulting on line 529 of nfv9.c. I will try and upload the segfault. I am not the most proficient with gdb, but it looked to me to be having an issue with the flowdata pointer. The pointer wasn’t null, and what it was pointing to in memory matched the contents of the netflow packet. So I was a bit stumped.
It works fine on the IDP and SPLT field types.
from joy.
Matt,
I tried to reproduce this issue with the pcap you sent along. The problem does not occur. I checked the code from 3.0.0 versus what is there now and there isn't any difference between latest and 3.0.0. Line 529 in nfv9.c is where it is processing TLS sequence of records, lengths and times. I looked at the packet capture for packet 20 and the templates seemed to be filled out correctly with the right field IDs.
It would be great if you could provide the stack trace dump. As an aside, there has been a fair amount of cleanup done around memory handling. It might be worthwhile moving to 4.0.1 (latest) on master and retesting.
from joy.
Ok, I reproduced it with v4.0.0
This is what I did
- git clone https://github.com/cisco/joy
- git checkout v4.0.0
- ./config.sh
- /configure
- make clean;make
- ./bin/joy bidir=1 dist=1 classify=1 nfv9_port=4739 verbosity=2 crs1000.pcap
I have attached the core dump file as well as the pcap file. When I looked at in gdb it looked to still be crashing in the same spot. So I don’t know if I am doing something wrong or what?
from joy.
from joy.
Matt, I will be out of the office tomorrow and all next week. I will take a look at it when I return after the holiday.
from joy.
from joy.
Matt, I think I have it figured out. See if the changes I made in nfv9.c makes everything better for you. Here is the diff:
diff --git a/src/nfv9.c b/src/nfv9.c
index 8239d17..61278f4 100644
--- a/src/nfv9.c
+++ b/src/nfv9.c
@@ -520,6 +520,16 @@ void nfv9_process_flow_record (flow_record_t *nf_record,
flow_data += htons(cur_template->fields[i].FieldLength);
break;
case TLS_SRLT:
-
/* if TLS structure is NULL get one */
-
if (nf_record->tls == NULL) {
-
tls_init(&nf_record->tls);
-
/* if still NULL bail on this processing */
-
if (nf_record->tls == NULL) {
-
flow_data += htons(cur_template->fields[i].FieldLength);
-
break;
-
}
-
}
-
total_ms = 0; for (j = 0; j < 20; j++) { if (htons(*(const short *)(flow_data+j*2)) == 0) {
@@ -540,6 +550,16 @@ void nfv9_process_flow_record (flow_record_t *nf_record,
flow_data += htons(cur_template->fields[i].FieldLength);
break;
case TLS_CS:
-
/* if TLS structure is NULL get one */
-
if (nf_record->tls == NULL) {
-
tls_init(&nf_record->tls);
-
/* if still NULL bail on this processing */
-
if (nf_record->tls == NULL) {
-
flow_data += htons(cur_template->fields[i].FieldLength);
-
break;
-
}
-
}
-
for (j = 0; j < 125; j++) { if (htons(*(const short *)(flow_data+j*2)) == 65535) { break;
@@ -551,6 +571,16 @@ void nfv9_process_flow_record (flow_record_t *nf_record,
flow_data += htons(cur_template->fields[i].FieldLength);
break;
case TLS_EXT:
-
/* if TLS structure is NULL get one */
-
if (nf_record->tls == NULL) {
-
tls_init(&nf_record->tls);
-
/* if still NULL bail on this processing */
-
if (nf_record->tls == NULL) {
-
flow_data += htons(cur_template->fields[i].FieldLength);
-
break;
-
}
-
}
-
for (j = 0; j < 35; j++) { if (htons(*(const short *)(flow_data+j*2)) == 0) { break;
@@ -564,20 +594,60 @@ void nfv9_process_flow_record (flow_record_t *nf_record,
flow_data += htons(cur_template->fields[i].FieldLength);
break;
case TLS_VERSION:
-
/* if TLS structure is NULL get one */
-
if (nf_record->tls == NULL) {
-
tls_init(&nf_record->tls);
-
/* if still NULL bail on this processing */
-
if (nf_record->tls == NULL) {
-
flow_data += htons(cur_template->fields[i].FieldLength);
-
break;
-
}
-
}
-
nf_record->tls->version = *(const char *)flow_data; flow_data += htons(cur_template->fields[i].FieldLength); break; case TLS_CLIENT_KEY_LENGTH:
-
/* if TLS structure is NULL get one */
-
if (nf_record->tls == NULL) {
-
tls_init(&nf_record->tls);
-
/* if still NULL bail on this processing */
-
if (nf_record->tls == NULL) {
-
flow_data += htons(cur_template->fields[i].FieldLength);
-
break;
-
}
-
}
-
nf_record->tls->client_key_length = htons(*(const short *)flow_data); flow_data += htons(cur_template->fields[i].FieldLength); break; case TLS_SESSION_ID:
-
/* if TLS structure is NULL get one */
-
if (nf_record->tls == NULL) {
-
tls_init(&nf_record->tls);
-
/* if still NULL bail on this processing */
-
if (nf_record->tls == NULL) {
-
flow_data += htons(cur_template->fields[i].FieldLength);
-
break;
-
}
-
}
-
nf_record->tls->sid_len = htons(*(const short *)flow_data); nf_record->tls->sid_len = min(nf_record->tls->sid_len,256); memcpy(nf_record->tls->sid, flow_data+2, nf_record->tls->sid_len); flow_data += htons(cur_template->fields[i].FieldLength); break; case TLS_HELLO_RANDOM:
-
/* if TLS structure is NULL get one */
-
if (nf_record->tls == NULL) {
-
tls_init(&nf_record->tls);
-
/* if still NULL bail on this processing */
-
if (nf_record->tls == NULL) {
-
flow_data += htons(cur_template->fields[i].FieldLength);
-
break;
-
}
-
}
-
memcpy(nf_record->tls->random, flow_data, 32); flow_data += htons(cur_template->fields[i].FieldLength); break;
from joy.
Thanks - I tested it and it seems to have fixed it.
from joy.
Related Issues (20)
- Using sleuth to calculate distribution of each individual offered cipher suite type HOT 2
- Incorrect TLS handshake types and TLS content types when generating TLS session metadata
- compilation error on macOS v 10.12.6
- The return value of 'sscanf()' should be checked
- Build failed with VS2019 on win10 HOT 4
- no VLAN support for data link type 12
- make error HOT 1
- Build Error while enable output compress HOT 1
- compile failed
- Number of packets is incorrect HOT 1
- A description of the parameters in joy's tool HOT 1
- Question with “one or more interfaces“
- 'type=1' option does not work
- How to use the FEATURE OPTIONS "payload=N (number)"?
- `sudo ./install_joy/install-sh -p /opt/app/joy` error
- Bytes in/out not correct
- is it prossible to use JOY to analysis malware network traffic online?
- Mac输出乱码
- some problem about sleuth
- some problem about sleuth
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from joy.