[Snort-devel] [ snort-Bugs-459914 ] segfault from xml output plugin

noreply at ...12... noreply at ...12...
Sun Sep 9 06:46:11 EDT 2001


Bugs item #459914, was opened at 2001-09-08 21:21
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=459914&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Jeffrey C. Ollie (jcollie)
Assigned to: Nobody/Anonymous (nobody)
Summary: segfault from xml output plugin

Initial Comment:
I'm having a problem with the XML output plugin 
segfaulting.  Here's a sample config file:

var HOME_NET [161.210.0.0/16,10.0.0.0/8]
var EXTERNAL_NET any
output xml: log, file=/var/log/snort/xml
output alert_syslog: LOG_LOCAL2 LOG_ALERT
config classification: attempted-recon,Attempted 
Information Leak,3
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS 
named version attempt"; content:"|07|version"; 
offset:12; content:"|04|bind"; nocase; offset: 12; 
reference:arachnids,278; classtype:attempted-recon; 
sid:257; rev:1;)

I'm running snort with this command line:

/usr/bin/snort -c /etc/snort/test.conf -i eth1

Sending a packet that triggers the only rule causes
an immediate coredump.  The command that I use is:

dig @161.210.214.100 version.bind txt chaos

If you disable the XML output plugin or add '-b' to
the command line snort will not coredump.

I'm running this on a PIII/933 running RedHat Linux 
7.1, libnet 1.0.2a, libpcap 0.6.2, postgresql 7.0.3,
openssl 0.6.9.

I've attached a zip file with some relevant files.


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=459914&group_id=3357




More information about the Snort-devel mailing list