Snort mailing list archives
Bug of Snort run on windows 10: Snort can not start successfully
From: Hongchun Li via Snort-devel <snort-devel () lists snort org>
Date: Mon, 14 Oct 2019 12:44:08 -0500
Hi Dear Developers. Attached patch is my fix based on version 2.9.15 with the command of diff -u orig new > parseru.patch could you please check the patch and apply the patch to your code? I hope you can have this fix in your release especially in windows version package. Best Regards, Hongchun Hi Dear, I got a bug of snort of windows version when start on window 10. - The version of Snort: snort-2.9.14.1 - Information on the rules enabled: Snort start failed, not relate to rules. - How Snort was built: I downloaded the installation package of Snort_2_9_14_1_Installer.exe from snort.org and just install it. - Your configuration files (snort.conf, *.rules, threshold.conf, etc.) - Platform information: OS and hardware (Windows 10, Intel 64bit) - [image: snort_cmd.png] *More information:* Sometimes, snort just report ERROR:...... Failed to parse the IP address: 8.0.0.0/8.0.0.0. Analysis. that is because the winpcap driver return the wrong networkmask, and snort did not check if this networkmask is valid or not, *Bug fix:* In file parser.c, just add all the red code like following. /**************************************************************************** * * Function : IsNetmaskValid() * Purpose : Check if a network mask value if valid * Arguments : mask ipv4 network mask * Returns : 1 for valid, 0 for invalid * ****************************************************************************/ *static int IsNetmaskValid(bpf_u_int32 mask){ if (mask == 0) return 0; if (mask & (~mask >> 1)) { return 0; } else { return 1; }}* /**************************************************************************** * * Function : DefineAllIfaceVars() * Purpose : Find all up interfaces and define iface_ADDRESS vars for them * Arguments : none * Returns : void function * ****************************************************************************/ static void DefineAllIfaceVars(SnortConfig *sc) { /* Cache retrieved devs so if user is running with dropped privs and * does a reload, we can use previous values */ static int num_vars = 0; /* Should be more than enough to cover the number of * interfaces on a machine */ static iface_var_t iface_vars[IFACE_VARS_MAX]; if (num_vars > 0) { int i; for (i = 0; i < num_vars; i++) { DefineIfaceVar(sc, iface_vars[i].name, (uint8_t *)&iface_vars[i].net, (uint8_t *)&iface_vars[i].netmask); } } else { char errbuf[PCAP_ERRBUF_SIZE]; pcap_if_t *alldevs; pcap_if_t *dev; bpf_u_int32 net, netmask; #ifdef WIN32 int i = 1; #endif if (pcap_findalldevs(&alldevs, errbuf) == -1) return; for (dev = alldevs; dev != NULL; dev = dev->next) { if (pcap_lookupnet(dev->name, &net, &netmask, errbuf) == 0 && IsNetmaskValid(netmask) == 1) { *Could you please add this bug fix and build a window installation package for me? I am using the windows version for some important testing these days.* *Or could you please provide me a document on how to build the code for windows version? I see there are visual studio project files like .dsw .dsp are using the old development kit. I tried to build it and finally failed after many tries. * -- Best regards, Hongchun -- Best regards, Hongchun
Attachment:
parseru.patch
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bug of Snort run on windows 10: Snort can not start successfully Hongchun Li via Snort-devel (Oct 14)