[Snort-devel] Snort Coredump on certain broken rules/legit rules

Martin Roesch roesch at ...48...
Thu Apr 26 15:11:51 EDT 2001


I probably broke it last night when I "fixed" the msg field parser
code.  I'm looking into this bug, bear with me.

    -Marty

Steve Halligan wrote:
> 
> Just updated to CVS...same exact Seg Fault here.  Narrowed it down to these
> rules (which worked with 1.8 build 10):
> 
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response
> PTR with TTL: 1 min. and no authority"; content:"|85800001000100000000|";
> content:"|c00c000c00010000003c000f|";)
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response
> with ttl:  1 min. and no authority"; content:"|81800001000100000000|";
> content:"|c00c000100010000003c0004|";)
> alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
> Trin00:DaemontoMaster(PONGdetected)";
> content:"PONG";reference:arachnids,187; classtype:attempted-recon;)
> alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
> Trin00:DaemontoMaster(messagedetected)";
> content:"l44";reference:arachnids,186; classtype:attempted-dos;)
> alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
> Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";
> reference:arachnids,185; classtype:attempted-dos;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00:Attacker to
> Master default startup password";flags: A+; content:"betaalmostdone";
> reference:arachnids,197; classtype:attempted-dos;)
> 
> If I remove the (): from the msg field--no seg fault.  Not sure if it is the
> () cause I removed them first.  Didn't work until I removed the :.  Now you
> might say that there shouldn't be any of these chars in the mesg field
> anyway, and I would be inclined to agree, but like I said, these rules
> worked with a CVS build from last week (build 10).
> -Steve
> 
> > Initializing Network Interface fxp0
> > using config file ./snort.conf
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Initializating Output Plugins!
> > Parsing Rules file ./snort.conf
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x8054c0a in ParseMessage (msg=0x826d940 "\"DDOS Trin00") at
> > rules.c:2574
> > 2574        *(end - count) = '\x0';
> >
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list