Snort mailing list archives

Re: Snort 1.8.1 WIN32 MSSQL

From: "Chris Reid" <Chris.Reid () CodeCraftConsultants com>
Date: Tue, 28 Aug 2001 01:07:34 -0600


John,

I used the symptoms you described to help me narrow down the cause of the
crashes (or rather what I think is the cause).  I found one line of code in
"spo_database.c" that writes into a buffer without checking if the buffer
will overflow.  (Bad me!!)

If you have the source code for Snort, make the following change yourself
and test it out.  If you don't have the source, you'll need to wait for a
little bit for things to propagate through the appropriate channels.  I
submitted the fix to Jed Pickel earlier this evening.  I assume he'll put
the fix into the official Snort source fairly quickly.  Then it will be up
to the guys at Silicon Defence to build and release a current version of the
MSSQL build.

Anyway, here is the fix... (sorry for the line-wrap -- remember to keep it
all on one line in your source code)

Line 65 is currently:
    #define SAVESTATEMENT(str)   strcpy(g_CurrentStatement, str);

Line 65 should become:
    #define SAVESTATEMENT(str)   strncpy(g_CurrentStatement, str,
sizeof(g_CurrentStatement)-1);

Chris Reid




----- Original Message -----
From: "John Kirk" <jkirk00 () home com>
To: <snort-users () lists sourceforge net>
Sent: Sunday, August 26, 2001 5:24 AM
Subject: [Snort-users] Snort 1.8.1 WIN32 MSSQL

Having difficult time getting 1.8.1 WIN32 MSSQL stable. Snort.exe
crashes with fatal error "snort.exe has generated errors and will be
closed by Windows, you will need to restart the program, an error log is
being created"

This occurs as soon as an alert is logged to MSSQL. The alert is
completely logged to MSSQL before the crash. I'm using default rule sets
at this point. I've run 1.8.1 logging to mysql on the same WIN2k box
since it's release and it is rock solid stable. I also tried running on
a test box and MSSQL build creates the same fatal error.

Thanks,
jk




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 1.8.1 Win32 MSSQL Burleson, Lee (IA) (Aug 24)
- Re: Snort 1.8.1 Win32 MSSQL Chris Reid (Aug 24)
- <Possible follow-ups>
- RE: Snort 1.8.1 Win32 MSSQL Burleson, Lee (IA) (Aug 24)
- Snort 1.8.1 WIN32 MSSQL John Kirk (Aug 26)
  - Re: Snort 1.8.1 WIN32 MSSQL Chris Reid (Aug 28)
    - RE: Snort 1.8.1 WIN32 MSSQL John Kirk (Aug 30)
    - Re: Corrupt binaries in CVS (was: Snort 1.8.1 WIN32 MSSQL) Chris Reid (Aug 31)
    - Re: Corrupt binaries in CVS (was: Snort 1.8.1 WIN32 MSSQL) Olaf Schreck (Aug 31)