[Snort-devel] Issue with -N, patch incl.

Joe McAlerney joey at ...60...
Wed Aug 29 21:29:14 EDT 2001


There were posts in the forums regarding segfaults occurring in
conjunction with the -N option.  It seemed to occur when people were
using the "log" facility of the database plugin rather than "alert". 
Since -N turns off packet logging, there seemed to be a strong
correlation.  As it turns out, the -N option sets the pv.nolog_flag
which in turn wipes out any existing LOG output function list and sets
up a new one with only the NoLog plugin.

The segfault occurred because the LogList pointer was still referencing
the freed list of Log functions.  Simply assigning it to NULL fixed this

We may want to add to the description of -N that not only will local
logging of packets be disabled, but any output plugin registered as type
NT_OUTPUT_LOG, or in simple terms "log plugins".  This is still going to
spawn questions as to why -N is now wiping out database logging, but the
simple answer is to use "alert".

On a related note, this patch seems to fix the issue of disabling
logging to the "alert" file.  Oh, and setting the portscan logging file
to /dev/null seems to work rather nicely as well, although not
thoroughly tested of possible side effects. :-)

-Joe M.

|   Joe McAlerney     joey at ...63...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+
-------------- next part --------------
--- /tmp/snort/rules.c	Tue Aug 21 11:33:42 2001
+++ /usr/local/src/snort/rules.c	Wed Aug 29 18:07:31 2001
@@ -1490,6 +1490,20 @@
         prev = idx;
+    switch(node_type)
+    {
+        case NT_OUTPUT_ALERT:
+	    AlertList = prev;
+            break;
+        case NT_OUTPUT_LOG:
+            LogList = prev;
+            break;
+        default:
+            return;
+    }
     AddFuncToOutputList(func, node_type, arg);
@@ -1501,19 +1515,19 @@
         case NT_OUTPUT_ALERT:
-            if(head_tmp != NULL)
+	     if(head_tmp != NULL)
                 head_tmp->AlertList = AppendOutputFuncList(func, arg,
-                AlertList = AppendOutputFuncList(func, arg, AlertList);
+	         AlertList = AppendOutputFuncList(func, arg, AlertList);
         case NT_OUTPUT_LOG:
-            if(head_tmp != NULL)
+	     if(head_tmp != NULL)
                 head_tmp->LogList = AppendOutputFuncList(func, arg,
-            else
-                LogList = AppendOutputFuncList(func, arg, LogList);
+	     else
+ 	         LogList = AppendOutputFuncList(func, arg, LogList);

More information about the Snort-devel mailing list