[Snort-devel] Segmentation fault in snort v 1.8.6

Green, Art Art.Green at ...1419...
Tue Jun 18 11:34:04 EDT 2002


Appears a colon in the content field of a rules causes snort to drop core.

Arch: x86
OS: FreeBSD 4.4-RELEASE

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Chunked Encoding Request"; flags: A+; content:"Transfer-Encoding:"; nocase;)

Command:
/usr/local/bin/snort -T -c /usr/local/etc/snort.conf

Backtrace:
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.2...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x8059891 in ParsePattern (rule=0x0, otn=0x8112000) at sp_pattern_match.c:351
351             rule++;
(gdb) bt
#0  0x8059891 in ParsePattern (rule=0x0, otn=0x8112000) at sp_pattern_match.c:351
#1  0x8059469 in PayloadSearchInit (data=0x0, otn=0x8112000, protocol=6) at sp_pattern_match.c:94
#2  0x80552d4 in ParseRuleOptions (
    rule=0xbfbfb18c "alert tcp any any -> [172.27.0.0/16] 80 (msg:\"Chunked Encoding Request\"; flags: A+; content:\"Transfer-Encoding:\"; nocase;", rule_type=2, protocol=6) at rules.c:1838
#3  0x8054619 in ParseRule (rule_file=0x2818f450,
    prule=0xbfbfd23c "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:\"Chunked Encoding Request\"; flags: A+; content:\"Transfer-Encoding:\"; nocase;) ", inclevel=1) at rules.c:729
#4  0x8053ddf in ParseRulesFile (file=0x810f6c0 "/usr/local/etc/landsend.com.rules", inclevel=1) at rules.c:198
#5  0x805426c in ParseRule (rule_file=0x2818f3a0, prule=0xbfbff76c "include /usr/local/etc/landsend.com.rules",
    inclevel=0) at rules.c:523
#6  0x8053ddf in ParseRulesFile (file=0x80b3c44 "/usr/local/etc/snort.conf", inclevel=0) at rules.c:198
#7  0x804a9a4 in main (argc=4, argv=0xbfbffc00) at snort.c:335

---
Art Green
Information Security Group
Lands End, Inc.





More information about the Snort-devel mailing list