Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 1.8.3 segfaulting

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 25 Dec 2001 17:04:54 -0800 (PST)
On Wed, 26 Dec 2001, Wolfgang Rohdewald wrote:


This snort.conf line causes a coredump:

var DNS_SERVERS [62.104.191.241/32 62.104.196.134/32]

I fixed it by replacing the space by a comma. Yet I
don't think snort should coredump.

/etc/rc.d/init.d# snort -V

-*> Snort! <*-
Version 1.8.3 (Build 88)

ltrace /usr/bin/snort -dv -e -A full -i ippp0 -c /etc/snort/snort.conf

strcasecmp("portscan-ignorehosts", "portscan-ignorehosts") = 0
strlen(0x08081c06, 32, 0xbfffcd78, 0x08052dbe, 16384) = 1
strlen(0x080d97c8, 32, 0xbfffcd78, 0x08052dbe, 16384) = 18
malloc(124)                                       = 0x080d9828
malloc(19)                                        = 0x080d98a8
memcpy(0x080d98a8, "[62.104.191.241/32", 18)      = 0x080d98a8
calloc(12, 1)                                     = 0x080d98c0
strrchr("[62.104.191.241/32", ']')                = NULL
--- SIGSEGV (Segmentation fault) ---



From the mailing list archives a week or so ago, there was a long converstaion

about how spp_portscan can't/won't use the format used in DNS_SERVERS.

Here's a snip from Phil Woods email.

---snip---
2. var DNS_SERVERS [XX.XX.XX.XX/32, YY.YY.YY.YY/32]

***THIS COMMENT ONLY APPLYS to a configuration which has portscan enabled.

   Note that portscan code was never re-written to handle the classic
   [a.b.c.0/24,q.r.s.t,...] (or negation thereof.)

   If you want DNS_SERVERS to be parsed by portscan-ignorehosts preprocessor
   you must use a space separated list.

   So, without exhausting comprehension of the parsing code in spp_portscan.c
   there is no telling what would be ignored or not if DNS_SERVERS is used.
---snip---


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: