[Snort-devel] Snort Coredump on certain broken rules/legit ru les

Steve Halligan agent33 at ...269...
Thu Apr 26 15:11:04 EDT 2001


Just updated to CVS...same exact Seg Fault here.  Narrowed it down to these
rules (which worked with 1.8 build 10):

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response
PTR with TTL: 1 min. and no authority"; content:"|85800001000100000000|";
content:"|c00c000c00010000003c000f|";) 
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response
with ttl:  1 min. and no authority"; content:"|81800001000100000000|";
content:"|c00c000100010000003c0004|";)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
Trin00:DaemontoMaster(PONGdetected)";
content:"PONG";reference:arachnids,187; classtype:attempted-recon;)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
Trin00:DaemontoMaster(messagedetected)";
content:"l44";reference:arachnids,186; classtype:attempted-dos;) 
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";
reference:arachnids,185; classtype:attempted-dos;) 
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00:Attacker to
Master default startup password";flags: A+; content:"betaalmostdone";
reference:arachnids,197; classtype:attempted-dos;)

If I remove the (): from the msg field--no seg fault.  Not sure if it is the
() cause I removed them first.  Didn't work until I removed the :.  Now you
might say that there shouldn't be any of these chars in the mesg field
anyway, and I would be inclined to agree, but like I said, these rules
worked with a CVS build from last week (build 10).
-Steve

> Initializing Network Interface fxp0
> using config file ./snort.conf
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file ./snort.conf
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x8054c0a in ParseMessage (msg=0x826d940 "\"DDOS Trin00") at 
> rules.c:2574
> 2574        *(end - count) = '\x0';
> 




More information about the Snort-devel mailing list