[Snort-devel] Error in duplicate classification check (+ fix)

Craig Barraclough craigba at ...910...
Sun Oct 28 17:31:01 EST 2001

in parser.c

if(!strncasecmp(current->type, data, strlen(current->type)))

Problem: If classification type already loaded is the same as the beginning
of another classification type, they will incorrectly match

parsing snort.conf, classification 'suspicious', further parsing comes to
classification 'suspicious-login'.
strncasecmp('suspicious', 'suspicious-login', 10) will return the first 10
chars are the same.
This will incorrectly detect the new classification as a duplicate.

Resolution: check strlen(data) == strlen(current->type) before


PS I've already submitted a bug at sourceforge.

More information about the Snort-devel mailing list