[Snort-devel] RE: 2 possible bugs in Snort 1.9.0

JP Vossen JP at ...1659...
Tue Nov 26 12:36:02 EST 2002


Re: my issues far below.

#1:

> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...402...]
> Sent: Tuesday, November 19, 2002 7:37 AM
> To: JP Vossen
> Subject: Re: 2 possible bugs in Snort 1.9.0
> 
> Hi JP,
>     The first bug is fixed in CVS and the upcoming 1.9.1 
> release, it's a one-line fix if you'd like to dig into it.
> All you have to do is remove the ":" after the "s" on line 
> 740 in snort.c:
> 
> --- snort.c     2002-09-25 15:56:53.000000000 -0400
> +++ snort-fixed.c       2002-11-19 07:25:53.000000000 -0500
> @@ -737,7 +737,7 @@
>  
>  #ifndef WIN32
>      valid_options = "R:B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
> -        "i:G:vV?ao6u:g:s:t:Uwyz";
> +        "i:G:vV?ao6u:g:st:Uwyz";
>  #else
>      valid_options = "R:B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
>          "i:G:vV?ao6u:g:s:t:UwyzEW";



#2:

> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...402...]
> Sent: Saturday, November 23, 2002 6:01 PM
> To: JP Vossen
> Subject: Re: 2 possible bugs in Snort 1.9.0
> 
> The three space problem is actually in the win32-code directory (in 
> src/win32), syslog.c has the extra spaces due to a bad format 
> string...
> 
> I'll see if I can fix it in the not too distance future.
> 
>       -Marty


__________________________________________
JP Vossen, CISSP
Counterpane Internet Security: Integration Manager
jp at ...1659...
PGP: 4A66 F380 061B ED7E 2D5B  68B0 48C7 9B0E C1ED E7FA
Work: 610-409-2765  Cell: 610-812-0930    (TZ: -0500 [EST5EDT])


> -----Original Message-----
> From: JP Vossen 
> Sent: Sunday, November 03, 2002 7:15 PM
> To: snort-devel at lists.sourceforge.net
> Cc: Roesch,Marty; Bird,Tina (Home); Glen Seimetz
> Subject: 2 possible bugs in Snort 1.9.0
> 
> 
> 
> PLEASE copy my e-mail address (jp at ...1659...) on any 
> replies, as I am not a member of this list.  Thank you.
> 
> In researching an issue to find out why Counterpane is having 
> trouble correctly filtering and parsing Snort messages when 
> Snort is running under Windows, I found the following 2 
> possible bugs.  Searching the archives of this list and the 
> "Snort Users" list did not return any relevant hits.  This 
> list had some discussion about IDSCenter and spaces in the 
> directory name, but that was all I found.
> 
> The first issue is easy.  And I lied, it IS in the list at 
> http://marc.theaimsgroup.com/?l=snort-devel&m=103444790802140&
> w=2...  It's the "-s now requires an argument under UNIX, 
> even though it shouldn't" thing.  So I noticed it too.
> 
> 
> 
> The second issue also seems simple enough.  Snort using -s 
> and running on Windows seems to insert 3 spaces between the 
> facility/priority code and the program name.  See the sniffer 
> captures (snort -qvde, with NetCat to trigger it) below.  Is 
> that a feature or a bug?  It is currently causing 
> Counterpane's filters not to work for Snort on Windows, as we 
> don't expect white space there.  I have confirmed this 
> behavior on Windows 2000 using Snort 1.8.7 and 1.9.0.
> 
> 192.168.99.100:514 -> 192.168.99.5:514 UDP TTL:64 TOS:0x0 
> ID:0 IpLen:20 DgmLen:185 DF
> Len: 165
> 3C 33 38 3E 73 6E 6F 72 74 5B 38 35 32 34 5D 3A  <38>snort[8524]:
> 20 5B 31 3A 32 37 31 3A 33 5D 20 44 4F 53 20 55   [1:271:3] DOS U
> 44 50 20 65 63 68 6F 2B 63 68 61 72 67 65 6E 20  DP echo+chargen
> 62 6F 6D 62 20 5B 43 6C 61 73 73 69 66 69 63 61  bomb [Classifica
> 74 69 6F 6E 3A 20 41 74 74 65 6D 70 74 65 64 20  tion: Attempted
> 44 65 6E 69 61 6C 20 6F 66 20 53 65 72 76 69 63  Denial of Servic
> 65 5D 20 5B 50 72 69 6F 72 69 74 79 3A 20 32 5D  e] [Priority: 2]
> 3A 20 7B 55 44 50 7D 20 31 39 32 2E 31 36 38 2E  : {UDP} 192.168.
> 39 39 2E 31 32 3A 37 20 2D 3E 20 31 39 32 2E 31  99.12:7 -> 192.1
> 36 38 2E 39 39 2E 31 30 30 3A 31 39 0A           68.99.100:19.
> 
> 
> 192.168.99.199:2130 -> 192.168.99.5:514 UDP TTL:128 TOS:0x0 
> ID:27690 IpLen:20 DgmLen:187
> Len: 167
> 3C 33 38 3E 20 20 20 73 6E 6F 72 74 5B 31 33 30  <38>   snort[130
> 30 5D 3A 20 5B 31 3A 32 37 31 3A 33 5D 20 44 4F  0]: [1:271:3] DO
> 53 20 55 44 50 20 65 63 68 6F 2B 63 68 61 72 67  S UDP echo+charg
> 65 6E 20 62 6F 6D 62 20 5B 43 6C 61 73 73 69 66  en bomb [Classif
> 69 63 61 74 69 6F 6E 3A 20 41 74 74 65 6D 70 74  ication: Attempt
> 65 64 20 44 65 6E 69 61 6C 20 6F 66 20 53 65 72  ed Denial of Ser
> 76 69 63 65 5D 20 5B 50 72 69 6F 72 69 74 79 3A  vice] [Priority:
> 20 32 5D 3A 20 7B 55 44 50 7D 20 31 39 32 2E 31   2]: {UDP} 192.1
> 36 38 2E 39 39 2E 31 32 3A 37 20 2D 3E 20 31 39  68.99.12:7 -> 19
> 32 2E 31 36 38 2E 39 39 2E 31 39 39 3A 31 39     2.168.99.199:19
> 
> 
> Can anyone confirm these as bugs, and let me know when they 
> might be addressed if so?
> 
> Thanks for your time, and for the coolest IDS out there IMHO!
> JP
> __________________________________________
> JP Vossen, CISSP
> Counterpane Internet Security: Integration Manager
> jp at ...1659...
> PGP: 4A66 F380 061B ED7E 2D5B  68B0 48C7 9B0E C1ED E7FA
> Work: 610-409-2765  Cell: 610-812-0930    (TZ: -0500 [EST5EDT])




More information about the Snort-devel mailing list