[Snort-devel] Error in duplicate classification check (+ fix)

Martin Roesch roesch at ...402...
Sun Oct 28 18:25:01 EST 2001


Patched and committed.

     -Marty

Craig Barraclough wrote:
> 
> in parser.c
> 
> if(!strncasecmp(current->type, data, strlen(current->type)))
> 
> Problem: If classification type already loaded is the same as the beginning
> of another classification type, they will incorrectly match
> 
> Example:
> parsing snort.conf, classification 'suspicious', further parsing comes to
> classification 'suspicious-login'.
> strncasecmp('suspicious', 'suspicious-login', 10) will return the first 10
> chars are the same.
> This will incorrectly detect the new classification as a duplicate.
> 
> Resolution: check strlen(data) == strlen(current->type) before
> strncasecmp(....)
> 
> Craig.
> 
> PS I've already submitted a bug at sourceforge.
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list