[Snort-devel] Snort 2.0.5 hang/infinte loop

Jim Cervantes jcervant at ...2278...
Tue Dec 9 17:51:02 EST 2003


Lawrence,

Thanks very much for the patch.  I have confirmed with gdb that my sensors
are looping in the region of code modified by your patch, so I'm hopeful it
will alleviate the problem.  Before I apply the patch I was hoping to get an
understanding of just what caused my sensors to be vulnerable to this bug.
Does the problem occur in response to a specific way a rule is constructed?

Thanks again!

Jim



-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Lawrence
Reed
Sent: Tuesday, December 09, 2003 4:10 PM
To: Jim Cervantes
Cc: Jeremy Hewlett; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Snort 2.0.5 hang/infinte loop


Jim,
Here is the patch I am currently using.  Give it a shot.


Jim Cervantes wrote:

>I have a number of recently upgraded sensors (v2.0.0 upgraded to v2.0.5)
>that have ended up in an apparent infinite loop as well.  They have stopped
>logging alerts and are consuming all the CPU they can get.  Can someone
lend
>some advice regarding a workaround, or should I roll back snort to a
>previous version?
>
>In particular:
>
>  - Are there certain rules/traffic patterns which I should avoid?
>  - If I rollback snort, what would be a good choice of version?
>
>The sensors are currently in this state, so if anyone has any
>diagnostic-related suggestions, I'm all ears.
>
>Thanks for any advice,
>
>Jim
>
>-----Original Message-----
>From: snort-devel-admin at lists.sourceforge.net
>[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Jeremy
>Hewlett
>Sent: Monday, November 24, 2003 11:11 AM
>To: snort-devel at lists.sourceforge.net
>Subject: Re: [Snort-devel] Snort 2.0.5 hang/infinte loop
>
>
>On Mon, Nov 24, Lawrence Reed wrote:
>
>
>>I upgraded my 2.0.2 sensors ( 4 ) to 2.0.5.  Almost immediately all
>>four sensors went into an infinite loop. I can recreate this if
>>further information is needed.
>>
>>
>
>Could you send me a pcap? We've fixed the problem area, but I'd like
>to get a pcap of what's causing this to test out the fix.
>
>Thanks
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: SF.net Giveback Program.
>Does SourceForge.net help you be more productive?  Does it
>help you create better code?  SHARE THE LOVE, and help us help
>YOU!  Click Here: http://sourceforge.net/donate/
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IBM Linux Tutorials.
>Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
>Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
>Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>


--
Larry Reed  Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key:
http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772






More information about the Snort-devel mailing list