[Snort-devel] Snort 1.81-RELEASE core dumps when given bad $DNS_SERVERS
franklin.lists at ...606...
Thu Aug 16 22:04:57 EDT 2001
Please cc all the responses to this to me.
I was able to consistently reproduce this bug:
Snort core dumps on startup
The snort.conf had the following (incorrect) line:
var DNS_SERVERS [$HOME_NET, xx.xx.xxx.xxx/32, xx.xx.xxx.xxx/32,
(the x's were actual digits)
which was referenced here:
preprocessor portscan-ignorehosts: $DNS_SERVERS
Now, that line is illegal, as I shouldn't have put spaces in. Eliminating
the spaces solved the problem. I doubt that this is exploitable in anyway,
but it is a bug nonetheless.
Here are the details:
OpenBSD 2.9 GENERIC#653 i386
-*> Snort! <*-
Version 1.8.1-RELEASE (Build 74)
snort -c snort.conf
$ sudo snort -c
Log directory =
--== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system
Initializing Network Interface de0
Decoding Ethernet on interface de0
Initializating Output Plugins!
Parsing Rules file snort.conf
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
Segmentation fault (core dumped)
Again, I was able to repeat this several times.
qDefense: Making Security Accesible
qDefense offers a variety of security services
See http://qDefense.com/Services today!
More information about the Snort-devel