[Snort-devel] Segmentation fault in snort v 1.8.6

Green, Art Art.Green at ...1419...
Tue Jun 18 12:28:03 EDT 2002


Giles,

Yes, my bad.  I should have stated that an unescaped colon causes the core dump.  Escaped colons perform as expected.  My notification to the list was because the segmentation fault occured if it was not escaped.  Like you said, just a bad, unexpected result.

A

-----Original Message-----
From: Coochey, Giles [mailto:g.coochey at ...482...]
Sent: Tuesday, June 18, 2002 1:54 PM
To: Green, Art; roesch at ...16...
Cc: snort-devel at lists.sourceforge.net
Subject: RE: [Snort-devel] Segmentation fault in snort v 1.8.6


According to the Snort Documentation
(http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.9) you should
escape ':' in content fields. Do you still get the same result if you
replace your rule with this one:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Chunked Encoding
Request"; flags: A+; content:"Transfer-Encoding|3A|"; nocase;)

Admitedly a Seg fault is a bad result for such a trvial error, but I'd be
interested to see if you get the same problem with the escape sequence.

Thanks

Giles Coochey

-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Green, Art
Sent: 18 June 2002 19:33
To: roesch at ...16...
Cc: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Segmentation fault in snort v 1.8.6



Appears a colon in the content field of a rules causes snort to drop core.

Arch: x86
OS: FreeBSD 4.4-RELEASE

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Chunked Encoding
Request"; flags: A+; content:"Transfer-Encoding:"; nocase;)

Command:
/usr/local/bin/snort -T -c /usr/local/etc/snort.conf

Backtrace:
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.2...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x8059891 in ParsePattern (rule=0x0, otn=0x8112000) at
sp_pattern_match.c:351
351             rule++;
(gdb) bt
#0  0x8059891 in ParsePattern (rule=0x0, otn=0x8112000) at
sp_pattern_match.c:351
#1  0x8059469 in PayloadSearchInit (data=0x0, otn=0x8112000, protocol=6) at
sp_pattern_match.c:94
#2  0x80552d4 in ParseRuleOptions (
    rule=0xbfbfb18c "alert tcp any any -> [172.27.0.0/16] 80 (msg:\"Chunked
Encoding Request\"; flags: A+; content:\"Transfer-Encoding:\"; nocase;",
rule_type=2, protocol=6) at rules.c:1838
#3  0x8054619 in ParseRule (rule_file=0x2818f450,
    prule=0xbfbfd23c "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:\"Chunked Encoding Request\"; flags: A+;
content:\"Transfer-Encoding:\"; nocase;) ", inclevel=1) at rules.c:729
#4  0x8053ddf in ParseRulesFile (file=0x810f6c0
"/usr/local/etc/landsend.com.rules", inclevel=1) at rules.c:198
#5  0x805426c in ParseRule (rule_file=0x2818f3a0, prule=0xbfbff76c "include
/usr/local/etc/landsend.com.rules",
    inclevel=0) at rules.c:523
#6  0x8053ddf in ParseRulesFile (file=0x80b3c44 "/usr/local/etc/snort.conf",
inclevel=0) at rules.c:198
#7  0x804a9a4 in main (argc=4, argv=0xbfbffc00) at snort.c:335

---
Art Green
Information Security Group
Lands End, Inc.


----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list