[Snort-devel] Bug Report - Rare portscan error

Jason Gomes jgomes at ...1055...
Fri Jan 11 09:47:02 EST 2002


Operating System:  Linux RedHat 7.0
Snort Version:  1.8.3

An errant portscan was detected and produced the following alerts.
Notice the "41 seconds" in the report.

Actual IP address masked.
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from X.X.X.X (THRESHOLD 9
connections exceeded in 41 seconds) [**]
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from X.X.X.X (THRESHOLD 9
connections exceeded in 41 seconds) [**]

Relevent snort.conf entry.
preprocessor portscan : $HOME_NET 9 1 portscan.log


My assumption is the problem may actually be within mtring.c (mSplit)
Should the return char array being allocated from the malloc() call first be
cleared?
FYI - The snort sensor in question is constantly being restarted.

Code sample:
/* allocate space for the new token */
if ((retstr[curr_str] = (char *)
    malloc((sizeof(char) * len) + 1)) == NUL)



Thanks

Jason Gomes
jgomes at ...1055...





More information about the Snort-devel mailing list