[Snort-devel] core dump reading config file (patch incl.)

Martin Roesch roesch at ...48...
Fri Feb 23 00:10:01 EST 2001


Thanks, fixed.

   -Marty

Joe McAlerney wrote:
> 
> This was posted in a forum.  He provided a patch to fix it up.
> 
> 8<....................................................
> 
> in my snort.conf file i had the line:
> output alert_full:
> 
> it caused snort to core dump as follows:
> ------snip------
> (gdb) bt
> #0 0x4023a74d in ?? ()
> #1 0x805cd65 in ProcessFileOption (filespec=0x0) at parser.c:58
> #2 0x805d6b4 in ParseFullAlertArgs (args=0x8091620 "") at
> spo_alert_full.c:138
> #3 0x805d616 in FullAlertInit (args=0x8091620 "") at spo_alert_full.c:88
> #4 0x8052b8d in ParseOutputPlugin (rule=0xbffff120 "output alert_full:")
> at rules.c:1265
> #5 0x80522d3 in ParseRule (prule=0xbffff560 "output alert_full:",
> inclevel=0) at
> rules.c:403
> #6 0x8051f97 in ParseRulesFile (file=0x80878dc
> "/usr/local/snort/snort_gwc.conf",
> inclevel=0) at rules.c:144
> #7 0x804b56a in main (argc=4, argv=0xbffffa94) at snort.c:258
> #8 0x401d6a2c in ?? ()
> (gdb)
> 
> ------snip------
> 
> removing the : at the end of the command fixed the problem, but it was
> not clear in the
> documenation that the colon should only be used when specifying an
> output filename.
> 
> i added the following patch to my snort copy (pay not attention to my
> file dates, this is
> 1.07 ;-( )
> -----snip----
> --- parser.c.orig Tue Feb 13 16:02:45 2001
> +++ parser.c Tue Feb 13 15:59:51 2001
> @@ -54,6 +54,10 @@
> char *filename;
> char buffer[STD_BUF];
> 
> + if(!filespec)
> + {
> + FatalError("ERROR: no fileoptions arg, remove the extra ':' at end of
> the alert
> option?\n");
> + }
> /* look for ".." in the string and complain and exit if it is found */
> if(strstr(filespec, "..") != NULL)
> {
> -----snip----
> 
> --
> ___cliff rayman___cliff at ...274...://www.genwax.com/
> 
> .................................................................>8
> --
> +--                            --+
> | Joe McAlerney, Silicon Defense |
> | http://www.silicondefense.com/ |
> +--                            --+
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list