Snort mailing list archives
Re: Bug in alert_syslog module?
From: "Michael Altizer \(mialtize\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 1 Feb 2021 16:46:32 +0000
Yep, that's a bug - thanks for reporting it. The workaround for now would be to explicitly configure the alert_syslog module in your snort.lua (alert_syslog = { }) rather than just specifying it on the command line. On 1/31/21 10:41 AM, W. Michael Petullo wrote:
I have found that loading the alert_syslog module crashes snort 3.1.0.0 on OpenWrt. (I am the maintainer of the OpenWrt snort packages). It looks like ModuleManager's get_default_module unconditionally passes NULL to the third argument of mod->verified_end(): Module* ModuleManager::get_default_module(const char* s, SnortConfig* sc) { Module* mod = get_module(s); if ( mod ) { mod->verified_begin(s, 0, sc); mod->verified_end(s, 0, nullptr); } return mod; } However, SyslogModule:end unconditionally dereferences its third argument: bool SyslogModule::end(const char*, int, SnortConfig* sc) { if ( sc->daemon_mode() ) options |= LOG_PID; return true; } This dereference of NULL seems to cause the crash. Has anyone else seen this?
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bug in alert_syslog module? W. Michael Petullo (Jan 31)
- Re: Bug in alert_syslog module? Michael Altizer (mialtize) via Snort-devel (Feb 01)
- the snort3 how to support the suricata rules ? like this keywords? 15135147016--- via Snort-devel (Feb 02)
- Re: the snort3 how to support the suricata rules ? like this keywords? Joel Esler (jesler) via Snort-devel (Feb 02)
- Re: the snort3 how to support the suricata rules ? like this keywords? Joel Esler (jesler) via Snort-devel (Feb 02)
- the snort3 how to support the suricata rules ? like this keywords? 15135147016--- via Snort-devel (Feb 02)
- Re: Bug in alert_syslog module? Michael Altizer (mialtize) via Snort-devel (Feb 01)