Snort mailing list archives

Re: Bug in alert_syslog module?

From: "Michael Altizer \(mialtize\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 1 Feb 2021 16:46:32 +0000

Yep, that's a bug - thanks for reporting it.  The workaround for now 
would be to explicitly configure the alert_syslog module in your 
snort.lua (alert_syslog = { }) rather than just specifying it on the 
command line.

On 1/31/21 10:41 AM, W. Michael Petullo wrote:

I have found that loading the alert_syslog module crashes snort
3.1.0.0 on OpenWrt. (I am the maintainer of the OpenWrt snort packages).

It looks like ModuleManager's get_default_module unconditionally passes
NULL to the third argument of mod->verified_end():

Module* ModuleManager::get_default_module(const char* s, SnortConfig* sc)
{
     Module* mod = get_module(s);

     if ( mod )
     {
         mod->verified_begin(s, 0, sc);
         mod->verified_end(s, 0, nullptr);
     }
     return mod;
}

However, SyslogModule:end unconditionally dereferences its third argument:

bool SyslogModule::end(const char*, int, SnortConfig* sc)
{
     if ( sc->daemon_mode() )
         options |= LOG_PID;

     return true;
}

This dereference of NULL seems to cause the crash.

Has anyone else seen this?

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Bug in alert_syslog module? W. Michael Petullo (Jan 31)
- Re: Bug in alert_syslog module? Michael Altizer (mialtize) via Snort-devel (Feb 01)
  - the snort3 how to support the suricata rules ? like this keywords? 15135147016--- via Snort-devel (Feb 02)
    - Re: the snort3 how to support the suricata rules ? like this keywords? Joel Esler (jesler) via Snort-devel (Feb 02)
    - Re: the snort3 how to support the suricata rules ? like this keywords? Joel Esler (jesler) via Snort-devel (Feb 02)