Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort 1.8.2 crashes on FlexResp

From: "Michael Steele" <michaels () silicondefense com>
Date: Thu, 15 Nov 2001 09:54:40 -0800
Idon,
 
We have compiled the last stable (?) release of Snort 1.8.2 b85. This
release has the latest LibnetNT.dll with some major updating that was
done. Of course this only applies to the Flexresp binaries.
 
Please let me know if this fixes the problems, or opens others.
-Mike

Commercial Snort Support <<->> 1.866.41.SNORT
  Silicon Defense - www.silicondefense.com
    Home of the new SENTRUS Snort sensor!
  Michael Steele - Snort Support Technician
-----Original Message-----
From: Idon [mailto:fehe () hotmail com] 
Sent: Tuesday, November 13, 2001 5:52 AM
To: Michael Steele
Subject: Snort 1.8.2 crashes on FlexResp
 
Mike,
 
Thanks for updating the LibnetNT.dll file.  There is however a serious
bug in the distribution.  Specifically with respect to the FlexResp
function.  Here's the scoop:
 
Basically, I added the FlexResp response "rst_all" to the pron {sic}
rules to reset the connection if the HTTP content matched.  However,
when a match occurs, snort crashes and the connection does not get
reset.  It is my suspicion that what is actually crashing is
LibnetNT.dll and not snort.exe itself.  I could of course be wrong and
it's just that FlexResp is not working properly in the 1.8.2
distribution.  I have never used FlexResp with 1.8.1 so I don't know if
it ever worked there.
 
The reason I'm suspecting LibnetNT.dll is because, with the new build of
LibnetNT.dll (November 8, 2001) snort simply crashes; however, with the
August 24, 2000 build of LibnetNT.dll, snort keeps running, but I get
the following output at the console:
 
-*> Snort! <*-
Version 1.8-MySQL-FlexRESP-WIN32 (Build 87)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
          (based on code from 1.7 port)
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
PacketSendPacket failed
 
 
The following is my system configuration:
 
Windows 2000 Server, Sp2 + all hotfixes
Internet Explorer 6.0
WinPcap 2.3 Beta
Snort 1.8.2 FlexResp and MySQL binary
MySQL 3.23.44
Dual-homed config with Snot listening on Internet-side interface only.
 
 
Please let me know what you find out.
 
Thanks,
 
 
Idon
Previous By Date Next
Previous By Thread Next

Current thread: