[Snort-devel] Segmentation fault in snort v 1.8.6

Coochey, Giles g.coochey at ...482...
Tue Jun 18 11:55:02 EDT 2002


According to the Snort Documentation
(http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.9) you should
escape ':' in content fields. Do you still get the same result if you
replace your rule with this one:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Chunked Encoding
Request"; flags: A+; content:"Transfer-Encoding|3A|"; nocase;)

Admitedly a Seg fault is a bad result for such a trvial error, but I'd be
interested to see if you get the same problem with the escape sequence.

Thanks

Giles Coochey

-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Green, Art
Sent: 18 June 2002 19:33
To: roesch at ...16...
Cc: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Segmentation fault in snort v 1.8.6



Appears a colon in the content field of a rules causes snort to drop core.

Arch: x86
OS: FreeBSD 4.4-RELEASE

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Chunked Encoding
Request"; flags: A+; content:"Transfer-Encoding:"; nocase;)

Command:
/usr/local/bin/snort -T -c /usr/local/etc/snort.conf

Backtrace:
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.2...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x8059891 in ParsePattern (rule=0x0, otn=0x8112000) at
sp_pattern_match.c:351
351             rule++;
(gdb) bt
#0  0x8059891 in ParsePattern (rule=0x0, otn=0x8112000) at
sp_pattern_match.c:351
#1  0x8059469 in PayloadSearchInit (data=0x0, otn=0x8112000, protocol=6) at
sp_pattern_match.c:94
#2  0x80552d4 in ParseRuleOptions (
    rule=0xbfbfb18c "alert tcp any any -> [172.27.0.0/16] 80 (msg:\"Chunked
Encoding Request\"; flags: A+; content:\"Transfer-Encoding:\"; nocase;",
rule_type=2, protocol=6) at rules.c:1838
#3  0x8054619 in ParseRule (rule_file=0x2818f450,
    prule=0xbfbfd23c "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:\"Chunked Encoding Request\"; flags: A+;
content:\"Transfer-Encoding:\"; nocase;) ", inclevel=1) at rules.c:729
#4  0x8053ddf in ParseRulesFile (file=0x810f6c0
"/usr/local/etc/landsend.com.rules", inclevel=1) at rules.c:198
#5  0x805426c in ParseRule (rule_file=0x2818f3a0, prule=0xbfbff76c "include
/usr/local/etc/landsend.com.rules",
    inclevel=0) at rules.c:523
#6  0x8053ddf in ParseRulesFile (file=0x80b3c44 "/usr/local/etc/snort.conf",
inclevel=0) at rules.c:198
#7  0x804a9a4 in main (argc=4, argv=0xbfbffc00) at snort.c:335

---
Art Green
Information Security Group
Lands End, Inc.


----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list