[Snort-devel] Bug in VarDefine in parser.c in current cvs snort-1.9 and 1.8.7beta1(BUILD 113)

Phil Wood cpw at ...86...
Wed May 15 16:21:02 EDT 2002


Folks,

I had a case where I used these two switches on the command line:

  -S SCANLOG=/d2/pw/log/default/aa20020515.1452.scan 
  -S TCPDUMPFILE=\!aa20020515.1452

low and behold the SCANLOG took, but there were two copies on the var list,
and TCPDUMPFILE did not take, but was replaced on the list by the value
in the conf file. 

Note: the bang (!) is from another patch I sent in for spo_log_tcpdump.c
      that would allow the user to specify the name of the log file.
      I used the bang cause I really meant it.

So, after much staring at the algorithm, I realized that no matter what
the "static" variable, was being treated as a variable variable and 
over-written by the value found in the conf file.  The patch included
fixes the problem.

I apply the patch by changing to snort (1.9) and typing

  patch -p 1 < /tmp/parser-patch

It is broken in the 1.8 cvs also.  That looks like just picking up the
source from parser.c in 1.9 (after you patch it) for VarDefine and replacing
the one in rules.c.

I've included the other patch to spo_log_tcpdump.c in case you want to
go that way.

Thanks,

-- 
Phil Wood, cpw at ...86...

-------------- next part --------------
--- snort/src/parser.c	Wed May 15 17:30:09 2002
+++ snort+/src/parser.c	Wed May 15 22:46:41 2002
@@ -2807,7 +2807,6 @@
 struct VarEntry *VarDefine(char *name, char *value)
 {
     struct VarEntry *p;
-    int found = 0;
 
     if(value == NULL)
     {
@@ -2834,21 +2833,19 @@
     {
         if(strcasecmp(p->name, name) == 0)
         {
-            found = 1;
-            break;
-        }
-        p = p->next;
-    } while(p != VarHead);
-
-    if( found && !(p->flags & VAR_STATIC))
+	    if (!(p->flags & VAR_STATIC))
     {
         if( p->value )
             free(p->value);
  
          p->value = strdup(value);
      }
-     else
-    {
+	    return (p);
+        }
+        p = p->next;
+
+    } while(p != VarHead);
+
         p = VarAlloc();
         p->name = strdup(name);
         p->value = strdup(value);
@@ -2856,7 +2853,7 @@
         p->next = VarHead->next;
         p->next->prev = p;
         VarHead->next = p;
-    }
+
     return p;
 }
 
-------------- next part --------------
--- snort-orig/src/output-plugins/spo_log_tcpdump.c	Wed Apr 10 17:14:24 2002
+++ snort+/src/output-plugins/spo_log_tcpdump.c	Tue Apr 30 17:12:19 2002
@@ -282,9 +282,14 @@
         value = snprintf(logdir, STD_BUF-1, "%s%s.%lu", 
 			 chrootdir == NULL ? "" : chrootdir, data->filename, curr_time);
     else
+	if (data->filename[0] == '!')
+            value = snprintf(logdir, STD_BUF-1, "%s%s/%s",
+			    chrootdir == NULL ? "" : chrootdir, pv.log_dir,
+			    &data->filename[1]);
+        else
         value = snprintf(logdir, STD_BUF-1, "%s%s/%s.%lu",
-			 chrootdir == NULL ? "" : chrootdir, pv.log_dir, data->filename,
-             curr_time);
+			 chrootdir == NULL ? "" : chrootdir, pv.log_dir,
+			 data->filename, curr_time);
 
     if(value == -1)
         FatalError("ERROR: log file logging path and file name are too long, "


More information about the Snort-devel mailing list