Snort mailing list archives

Re: Segfault using react

From: CleBeer <clebeer () gmail com>
Date: Tue, 3 Jan 2012 18:37:44 -0200

Sorry Steve

This is not a good answer for a segfault...

Why I cant find this in snort manual?
why snort crashes instead send a "exit 1" ?


cheers

On Tue, Jan 3, 2012 at 6:09 PM, Steven Sturges <ssturges () sourcefire com>wrote:

Currently, only one %s is allowed.

Cheers
-steve


On 1/3/12 2:40 PM, snort user wrote:

Hi Cleber,

Could you try on snort 2.9.1.2?

Thanks




On Tue, Jan 3, 2012 at 2:14 PM, CleBeer<clebeer () gmail com>  wrote:

Hello guys,

I'm facing a strange segfault in snort with react.

If I set the tag "%s" to show rule message on the html file more than 1
time
the snort crashes with Segmentation Fault.

Here a sample of the html working fine:

----
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n"
\\"http://www.w3.org/TR/**xhtml11/DTD/xhtml11.dtd\<http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd%5C>
">
<html xmlns=\"http://www.w3.org/**1999/xhtml\<http://www.w3.org/1999/xhtml%5C>"
xml:lang=\"en\">
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">
<title>Access Denied</title>
</head>
<body  bgcolor='white'>
<font color="FF3300" face="arial">
<h1><p align="center">ACCESS DENIED</h1></p>
<p align="center"><img src="http://www.xxx.net/logo.**gif<http://www.xxx.net/logo.gif>"
alt="Logo"></p>
<h3><p align="center">Cantact your security team<a
href="mailto:security () xxx net?**Subject=Acces%20Denied:%s">sec**
urity () xxx net <security () xxx net></a></p></h3>
</body>
</html>
---

if I add the line
Rule: %s
snort crashes

Here the html crashing snort:

-----
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n"
\\"http://www.w3.org/TR/**xhtml11/DTD/xhtml11.dtd\<http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd%5C>
">
<html xmlns=\"http://www.w3.org/**1999/xhtml\<http://www.w3.org/1999/xhtml%5C>"
xml:lang=\"en\">
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">
<title>Access Denied</title>
</head>
<body  bgcolor='white'>
<font color="FF3300" face="arial">
<h1><p align="center">ACCESS DENIED</h1></p>
<p align="center"><img src="http://www.xxx.net/logo.**gif<http://www.xxx.net/logo.gif>"
alt="Logo"></p>
<h3><p align="center">Cantact your security team<a
href="mailto:security () xxx net?**Subject=Acces%20Denied:%s
%s">security () xxx net</a></p></**h3>
<p>Rule:%s</p>
</body>
</html>
----


Some one here facing the same problem?


My snort version is:
# snort -V

   ,,_     -*>  Snort!<*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 75)
   ''''    By Martin Roesch&  The Snort Team:

http://www.snort.org/snort/**snort-team<http://www.snort.org/snort/snort-team>
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4




cheers

--
-----------------------------
Cleber S. Brandão
Mob. +55 11 9333-9429

clebeerpub.blogspot.com
www.snort.org.br
  ,, _
 o"    )~
   '' ''
http://www.linkedin.com/in/**clebeer<http://www.linkedin.com/in/clebeer>
------------------------------**-----

------------------------------**------------------------------**
------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-**appdev <http://p.sf.net/sfu/intel-appdev>
______________________________**_________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.**net <Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/**lists/listinfo/snort-devel<https://lists.sourceforge.net/lists/listinfo/snort-devel>

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------**------------------------------**
------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-**appdev <http://p.sf.net/sfu/intel-appdev>
______________________________**_________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.**net <Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/**lists/listinfo/snort-devel<https://lists.sourceforge.net/lists/listinfo/snort-devel>

Please visit http://blog.snort.org for the latest news about Snort!



-- 
-----------------------------
Cleber S. Brandão
Mob. +55 11 9333-9429

clebeerpub.blogspot.com
www.snort.org.br
  ,, _
 o"    )~
   '' ''
http://www.linkedin.com/in/clebeer
-----------------------------------

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Segfault using react CleBeer (Jan 03)
- Re: Segfault using react snort user (Jan 03)
  - Re: Segfault using react Steven Sturges (Jan 03)
    - Re: Segfault using react CleBeer (Jan 03)
    - Re: Segfault using react Steven Sturges (Jan 03)
    - Re: Segfault using react Steven Sturges (Jan 04)
    - Re: Segfault using react CleBeer (Jan 04)