Re: Win32 snort crashing when -A not used

[Kistler Ueli <iuk () gmx ch>]

Hello.. i wanted to correct some things you said. Snort -A option works
well on my build (official Silicondefense b128) by the way...

Rich Adamson wrote:

> > Perhaps this is old news:
> >
> > I have experienced a reproducible crash of Snort 1.8.7 on Win2K when -A
> > option is not used on the command line. It happens with both Build 121 from
> > Silicon Defense as well as my own compilation of Build 128. Further digging found
> > that Snort performs fclose on an illegal FILE handle in
> > FastAlertCleanExitFunc or FullAlertCleanExitFunc (depending on the config file). The debugger 
> >    
> sees
>  
>
> > two(!) of these fclose calls. The first one looks legitimate; it is the
> > second one that causes the crash.
> >
> > Anybody knows a remedy?
> >    
>
> I'm seeing the same thing on Win2k using version 1.8.7beta5-ODBC-Win32 (build 128)
> barebones_release with the just-downloaded-and-installed WinPcap v2.3. Two 
> different "crashes"; one rebooted the PC automatically, the other hung the
> machine requiring a power recycle.
>
> I also installed IDScenter 1.09 beta2, and it too has a couple of bugs including:
>  a. no way to "see" how to set the -A flag,
Log settings -> Log parameters -> Set alert mode

>  b. IDScenter complains about a missing classification file (but then it is
>     fine after stopping/restarting IDScenter)
IDS rules -> Rules/Signatures -> .. select the classification.config
file (official Snort distribution classification file). This has to be
done ONCE.
This file is usally in the same folder as "Snort.exe"... if not you must
give the correct path of course (like you would do it in Snort.conf
manually).

>  c. IDScenter does not "start" snort when the button is selected; can only be
>     started from the system tray icon (right-click, Start Snort)
General -> Main configuration -> Autostart options -> Start Snort when
IDScenter is started

>  d. Pop-up window that says "Must generate Script", but nothing to indicate
>     how/where to do that. (Found out the hard way that clicking the Apply
>     button apparently does that when no errors have been found)
I renamed the button and missed to update the code of the message dialog
(but it is explained in the IDScenter HTML manual).

> Rich
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Two, two, TWO treats in one.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>  
Regards,
  Ueli Kistler
  eclipse () packx net

--