[Snort-devel] Snort 1.7 SegFaults Reading a Bad Rule File

Crist J. Clark cjclark at ...236...
Sat Jan 27 19:47:48 EST 2001

Snort 1.7 segfaults reading the rule file if whitespace immediately
follows a '!' in an address specification. For example, the following
file produces a crash,

  buttercup# cat badrule.conf
  # badrule.conf

  pass tcp any any -> ! any

  buttercup# ./snort -c badrule.conf -l .
          --== Initializing Snort ==--

  Initializing Network Interface ep0
  Decoding Ethernet on interface ep0
  Initializing Preprocessors!
  Initializing Plug-ins!
  Initializating Output Plugins!

  Initializing rule chains...
  Segmentation fault

In the ParseIP routine of rules.c.

I guess you can say that whitespace is not allowed there, but Snort
should flag the error and not core dump. It took me a long time to
figure out what the problem in my rules file was when I found this

Personally, I like allowing the extra whitespace. But the easiest fix
is probably to flag it as an error. I nosed around ParseIP() and
mSplit(), but I could not decide on the most correct way to fix this
Crist J. Clark                           cjclark at ...235...

More information about the Snort-devel mailing list