[Snort-devel] Snort 2.0.5 hang/infinte loop

Jeremy Hewlett jh at ...402...
Wed Dec 10 08:30:01 EST 2003

On Wed, Dec 10, Lawrence Reed wrote:
> Actually the patch came from Dan Roelker at SourceFire.  I believe he is 
> testing it for inclusion in the upcoming 2.1 release.

Yes, we're currently testing this (and other patches) for the 2.1
release. However, we're also going to be releasing 2.0.6 to address
issues people have been reporting with the 2.0.x series. I expect to
have this release out in the next few days, or early next week should
any problems arise.

> Any more details will have to come from Dan.

(fielding this one for Dan)

Dan's patch does fix the problem, everyone that has the patch hasn't
reported any further mishaps. Larry's description of the problem is
pretty good, I'll expand on that some... Basically, here's the problem
- this problem was introduced when recursion was added to the content
detection engine. What causes this looping is if there is a
non-content rule option after a stateful content rule option. If
a content rule option succeeds, and the non-content rule option fails,
then the looping occurs because the stateful content rule options keep
looking for the next occurance of the specified content. In short, 
the non-content options (ie: dsize, ip_proto) should go first,
and the content options last. This is the ideal way to write snort
rules, as this increases performance.

More information about the Snort-devel mailing list