Snort mailing list archives
Re: 1.8.3 segfaulting
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 25 Dec 2001 17:04:54 -0800 (PST)
On Wed, 26 Dec 2001, Wolfgang Rohdewald wrote:
This snort.conf line causes a coredump: var DNS_SERVERS [62.104.191.241/32 62.104.196.134/32] I fixed it by replacing the space by a comma. Yet I don't think snort should coredump. /etc/rc.d/init.d# snort -V -*> Snort! <*- Version 1.8.3 (Build 88) ltrace /usr/bin/snort -dv -e -A full -i ippp0 -c /etc/snort/snort.conf strcasecmp("portscan-ignorehosts", "portscan-ignorehosts") = 0 strlen(0x08081c06, 32, 0xbfffcd78, 0x08052dbe, 16384) = 1 strlen(0x080d97c8, 32, 0xbfffcd78, 0x08052dbe, 16384) = 18 malloc(124) = 0x080d9828 malloc(19) = 0x080d98a8 memcpy(0x080d98a8, "[62.104.191.241/32", 18) = 0x080d98a8 calloc(12, 1) = 0x080d98c0 strrchr("[62.104.191.241/32", ']') = NULL --- SIGSEGV (Segmentation fault) ---
From the mailing list archives a week or so ago, there was a long converstaion
about how spp_portscan can't/won't use the format used in DNS_SERVERS. Here's a snip from Phil Woods email. ---snip--- 2. var DNS_SERVERS [XX.XX.XX.XX/32, YY.YY.YY.YY/32] ***THIS COMMENT ONLY APPLYS to a configuration which has portscan enabled. Note that portscan code was never re-written to handle the classic [a.b.c.0/24,q.r.s.t,...] (or negation thereof.) If you want DNS_SERVERS to be parsed by portscan-ignorehosts preprocessor you must use a space separated list. So, without exhausting comprehension of the parsing code in spp_portscan.c there is no telling what would be ignored or not if DNS_SERVERS is used. ---snip--- ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 1.8.3 segfaulting Wolfgang Rohdewald (Dec 25)
- Re: 1.8.3 segfaulting Steve Ochani (Dec 25)
- Re: 1.8.3 segfaulting Erek Adams (Dec 25)