AW: [Snort-devel] snort 1.8.4 build 99 dumps core when using icmp pass rules with i type set

Poppi, Sandro Sandro.Poppi at ...1204...
Tue Mar 19 22:18:02 EST 2002


> > Within the pass.rules file whenever there is a itype 
> defined it will core
> > dump. ICMP rules without the itype are parsed correctly.
> 
> What does your itype option look like?

As you can see from the gdb output the rule is
pass icmp any any -> [xxx.xxx.xxx.xxx/32] any (msg:\"allow icmp pings\";
itype: 0, icode: 0;) 

> itype; will cause snort to crash unfortunately instead of printing a
> warning. Noted and fixed.

The rules have been the same with no change for the previous installed
version 1.8.4beta1 and 1.8.4, so anywhere in between there has been that bug
introduced.

> One problem with snort right now is that the same parsing bugs can
> appear in any plugin so we've got the distributed parser problem.
> 
> That architecture problem is on the block to be fixed

Ciao,
Sandro




More information about the Snort-devel mailing list