Snort mailing list archives
[Snort-admin] Re: Snort core dumped
From: Dragos Ruiu <dr () kyx net>
Date: Fri, 11 Jan 2002 01:56:59 -0800
The snort distribution has a clearly labeled file called BUGS, which outlines what information to gather in case of snort crashes and where to send this infomation so that the development team may look at it in a timely fashion. At last check this file did not mention posts to Bugtraq or letters to the editor in the NY Times or any other exotic communications as appropriate ways to notify developers about bugs so that they may examine and correct them. Some of the development team had some more colorful commentary about Mr. Sinbad's choice of notification channels, but let's leave it described as "inappropriate". Posting directly to Bugtraq without notifying the developers is poor form and probably needlessly exposes the organizations that use snort as a key piece of their network defensive strategy to unnecessary risks. Marty Roesch, the folks at Sourcefire (Marty's company), and the snort developers around the world who volunteer their time to the project are a very responsive team and usually perfom excellently in the area of response time for updates in comparison to other industry and open-source projects. The Bugtraq post came to their attention in the morning, and few hours later a fix was committed to CVS by Marty. The patch to fix the minor error that caused the crash is listed below for those that want to apply it manually - as only one number needs to be changed from 8 -> 4 to correct an oversight. The project team, however, recommends that users upgrade to the Build 90 CVS version of snort, as in the snort world the CVS version usually represents the most stable and bugfree version of snort available. The CVS version also contains some other minor bug fixes incorporated since the relatively stable 1.8.3 release. Instructions for accessing the CVS version can be found at http://www.snort.org We respectfully suggest that this sort of situation be handled in the future by following the instructions for reporting potential defects outlined in the BUGS file that accompanies snort distributions. Thank you. [01/10 12:47:09] <roesch> here's the patch to fix the sinbad "crash" --- olddecode.h Thu Jan 10 15:47:48 2002 +++ decode.h Thu Jan 10 12:15:33 2002 @@ -105,7 +105,7 @@ #define IP_HEADER_LEN 20 #define TCP_HEADER_LEN 20 #define UDP_HEADER_LEN 8 -#define ICMP_HEADER_LEN 8 +#define ICMP_HEADER_LEN 4 #define TH_FIN 0x01 #define TH_SYN 0x02 On Wed, 09 Jan 2002, Sinbad wrote:
Run snort: # snort -dev host 192.168.0.3 and 192.168.0.1 Ping 192.168.0.1 from 192.168.0.3 within one data in payload: # ping -c 1 -s 1 192.168.0.1 Snort's output showed below: -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF Type:8 Code:0 ID:9435 Seq:0 ECHO Segmentation fault (core dumped) hmm... core dumped! while with the '-X' option works well. :) Have you ever seen this happened? Regards, Sinbad
-- --dr http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Snort-admin] Re: Snort core dumped Dragos Ruiu (Jan 11)