Snort mailing list archives
Re: Fwd: Snort3: bug with "-z" when it only in config
From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Sat, 24 Nov 2018 21:17:31 +0300
Awesome, thanks for the update! пт, 23 нояб. 2018 г. в 14:55, Russ <rucombs () cisco com>:
This is fixed in the latest on github. Thanks Russ On 11/23/18 6:10 AM, Meridoff wrote: I think I meant snort = { ["-z"]=0 } (instead of =true) if system has many(8 in my cases CPUSs), or just snort = { ["-z"]=8 .}. пт, 23 нояб. 2018 г. в 13:57, Meridoff <oagvozd () gmail com>:Hello, ср, 21 нояб. 2018 г. в 17:03, Russ via Snort-devel < snort-devel () lists snort org>:Hi Meridoff, I'm not able to reproduce the exact issue you report but I did find a bug. What version of Snort++ are you using? Here is a summary of my findings:Snort++ 3.0.0-2471. snort["-z"] = true is a misconfiguration and should not be expected to work under any circusmstances.Sorry, it was my misprint , I mean for example snort["-z"] = 2 (NUMBER )2. snort = { "-z" = 2 } is invalid Lua. 3. snort = { }; snort["-z"] = 2 is a valid configuration (number not boolean) and we will fix that bug.Yes my messages is based under such config.Below is what I'm seeing with the latest. Note that I'm using --lua for clarity but the same results hold if you put the command line Lua chunks directly in your snort.lua. Thanks for reporting the issue. Russ $ ./snort -c snort.lua --lua 'snort["-z"] = true' -------------------------------------------------- o")~ Snort++ 3.0.0-249 -------------------------------------------------- Loading snort.lua: FATAL: can't init overrides: [string "require('snort_config'); snort["-z"] = true"]:1: attempt to index global 'snort' (a nil value) Fatal Error, Quitting.. That makes sense, because the snort table is not defined. Defining that causes Snort to hang: $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true' -------------------------------------------------- o")~ Snort++ 3.0.0-249 -------------------------------------------------- Loading snort.lua: ssh pop binder stream_tcp gtp_inspect dce_http_proxy stream_icmp normalizer ftp_server stream_udp dce_smb snort ^C o")~ caught int signal, exiting That's the bug I mentioned. Some command line switches trigger different modes and setting the default for --rule-to-text causes Snort to expect input on stdin. Patching around that yields the expected error because -z takes a number not a boolean: $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true' | grep ERROR ERROR: invalid snort.-z = 1 $ ./snort -? | grep "\-z" -z <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:) Changing to a valid value works as expected: $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = 2' | grep success Snort successfully validated the configuration (with 0 warnings). On 11/20/18 11:06 AM, Meridoff via Snort-devel wrote: not only accessing to uninited but even unallocated array ,created in PHClass constructor ---------- Forwarded message --------- From: Meridoff <oagvozd () gmail com> Date: вт, 20 нояб. 2018 г. в 19:03 Subject: Snort3: bug with "-z" when it only in config To: <snort-devel () lists snort org> Hello, when option -z (total instances) is given only in config (snort["-z"]=true), then it equals to 1 (default ?) for some of inspectors/plugins/modules, because they inited between parse_cmd_line and parse_config (where -z lies). Due to this bug/feature for many instances we have access to uninted array p->pp_class.init[slot] in function InspectorManager::thread_init (), when slot > 1 but this array for some inspectors (appid ,telnet ,etc) has length 1 (see PHClass costructor). So we must duplicate "-z" in command line or do not use snort["-z"]=true at all. _______________________________________________ Snort-devel mailing listSnort-devel@lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 20)
- Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 20)
- Re: Fwd: Snort3: bug with "-z" when it only in config Russ via Snort-devel (Nov 21)
- Re: Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 23)
- Re: Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 23)
- Re: Fwd: Snort3: bug with "-z" when it only in config Russ via Snort-devel (Nov 23)
- Re: Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 24)
- Re: Fwd: Snort3: bug with "-z" when it only in config Russ via Snort-devel (Nov 21)
- Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 20)
- Re: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 21)