Snort mailing list archives
Re: Fwd: Snort3: bug with "-z" when it only in config
From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Fri, 23 Nov 2018 06:55:52 -0500
This is fixed in the latest on github. Thanks Russ On 11/23/18 6:10 AM, Meridoff wrote:
I think I meant snort = { ["-z"]=0 } (instead of =true) if system has many(8 in my cases CPUSs), or just snort = { ["-z"]=8 .}.пт, 23 нояб. 2018 г. в 13:57, Meridoff <oagvozd () gmail com <mailto:oagvozd () gmail com>>:Hello, ср, 21 нояб. 2018 г. в 17:03, Russ via Snort-devel <snort-devel () lists snort org <mailto:snort-devel () lists snort org>>: Hi Meridoff, I'm not able to reproduce the exact issue you report but I did find a bug. What version of Snort++ are you using? Here is a summary of my findings: Snort++ 3.0.0-247 1. snort["-z"] = true is a misconfiguration and should not be expected to work under any circusmstances. Sorry, it was my misprint , I mean for example snort["-z"] = 2 (NUMBER ) 2. snort = { "-z" = 2 } is invalid Lua. 3. snort = { }; snort["-z"] = 2 is a valid configuration (number not boolean) and we will fix that bug. Yes my messages is based under such config. Below is what I'm seeing with the latest. Note that I'm using --lua for clarity but the same results hold if you put the command line Lua chunks directly in your snort.lua. Thanks for reporting the issue. Russ $ ./snort -c snort.lua --lua 'snort["-z"] = true' -------------------------------------------------- o")~ Snort++ 3.0.0-249 -------------------------------------------------- Loading snort.lua: FATAL: can't init overrides: [string "require('snort_config'); snort["-z"] = true"]:1: attempt to index global 'snort' (a nil value) Fatal Error, Quitting.. That makes sense, because the snort table is not defined. Defining that causes Snort to hang: $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true' -------------------------------------------------- o")~ Snort++ 3.0.0-249 -------------------------------------------------- Loading snort.lua: ssh pop binder stream_tcp gtp_inspect dce_http_proxy stream_icmp normalizer ftp_server stream_udp dce_smb snort ^C o")~ caught int signal, exiting That's the bug I mentioned. Some command line switches trigger different modes and setting the default for --rule-to-text causes Snort to expect input on stdin. Patching around that yields the expected error because -z takes a number not a boolean: $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true' | grep ERROR ERROR: invalid snort.-z = 1 $ ./snort -? | grep "\-z" -z <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:) Changing to a valid value works as expected: $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = 2' | grep success Snort successfully validated the configuration (with 0 warnings). On 11/20/18 11:06 AM, Meridoff via Snort-devel wrote:not only accessing to uninited but even unallocated array ,created in PHClass constructor ---------- Forwarded message --------- From: *Meridoff* <oagvozd () gmail com <mailto:oagvozd () gmail com>> Date: вт, 20 нояб. 2018 г. в 19:03 Subject: Snort3: bug with "-z" when it only in config To: <snort-devel () lists snort org <mailto:snort-devel () lists snort org>> Hello, when option -z (total instances) is given only in config (snort["-z"]=true), then it equals to 1 (default ?) for some of inspectors/plugins/modules, because they inited between parse_cmd_line and parse_config (where -z lies). Due to this bug/feature for many instances we have access to uninted array p->pp_class.init[slot] in function InspectorManager::thread_init (), when slot > 1 but this array for some inspectors (appid ,telnet ,etc) has length 1 (see PHClass costructor). So we must duplicate "-z" in command line or do not use snort["-z"]=true at all. _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org <mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel Please visithttp://blog.snort.org for the latest news about Snort!_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org <mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 20)
- Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 20)
- Re: Fwd: Snort3: bug with "-z" when it only in config Russ via Snort-devel (Nov 21)
- Re: Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 23)
- Re: Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 23)
- Re: Fwd: Snort3: bug with "-z" when it only in config Russ via Snort-devel (Nov 23)
- Re: Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 24)
- Re: Fwd: Snort3: bug with "-z" when it only in config Russ via Snort-devel (Nov 21)
- Fwd: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 20)
- Re: Snort3: bug with "-z" when it only in config Meridoff via Snort-devel (Nov 21)