[Snort-devel] Snort 1.81-RELEASE core dumps when given bad $DNS_SERVERS

Franklin DeMatto franklin.lists at ...606...
Thu Aug 16 22:04:57 EDT 2001


Please cc all the responses to this to me.

I was able to consistently reproduce this bug:

Snort core dumps on startup

The snort.conf had the following (incorrect) line:

var DNS_SERVERS [$HOME_NET,  xx.xx.xxx.xxx/32, xx.xx.xxx.xxx/32, 
xx.xx.xxx.xxx/32]

(the x's were actual digits)

which was referenced here:
preprocessor portscan-ignorehosts: $DNS_SERVERS

Now, that line is illegal, as I shouldn't have put spaces in.  Eliminating 
the spaces solved the problem.  I doubt that this is exploitable in anyway, 
but it is a bug nonetheless.

Here are the details:

OpenBSD 2.9 GENERIC#653 i386

-*> Snort! <*-
Version 1.8.1-RELEASE (Build 74)

snort -c snort.conf

Results:

$ sudo snort -c 
snort.conf
Log directory =

         --== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system

Initializing Network Interface de0
Decoding Ethernet on interface de0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
     Fragment timeout: 60 seconds
     Fragment memory cap: 4194304 bytes
Stream4 config:
     Stateful inspection: ACTIVE
     Session statistics: INACTIVE
     Session timeout: 30 seconds
     Session memory cap: 8388608 bytes
     State alerts: INACTIVE
     Scan alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
      Reassemble client: ACTIVE
      Reassemble server: INACTIVE
      Reassemble ports: 21 23 25 53 80 143 110 111 513
      Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
Segmentation fault (core dumped)


Again, I was able to repeat this several times.


Franklin DeMatto
http://qDefense.com
qDefense: Making Security Accesible

qDefense offers a variety of security services
See http://qDefense.com/Services today!





More information about the Snort-devel mailing list