[Snort-devel] Whee, Coredump

Brian bmc at ...835...
Sat May 31 06:40:04 EDT 2003


On Sat, May 31, 2003 at 03:02:28AM -0700, Roy S. Rapoport wrote:
> Been working on getting SnortCenter to play nice with Snort 2.0.  At
> this point, SnortCenter has managed to create a config file for snort
> that causes it to segfault and dump core.  I'm guessing this is
> unexpectedly bad.
> 
> The config file is about 500K, so I figured it'd be impolite to mail it.
> It's available at http://www.inorganic.org/~rsr/bad_snort_config.txt

SnortCenter is generating some bad rules.

line 501 is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( sid: 2093; rev: 2; msg: "RPC portmap proxy integer overflow attempt TCP"; flow: to_server,established; content: "|00 00 00 00|"; offset: 8; depth: 4; content: "|00 01 86 A0 00|"; offset: 16; depth: 5; content: "|00 00 00 05|"; distance: 3; within: 4; byte_jump:4,4,relati; byte_test:4,>,2048,12,relative; reference: cve,CAN-2003-0028; reference: bugtraq,7123; classtype: rpc-portmap-decode;)

Note the first byte_jump keyword.

byte_jump:4,4,relati; 

snort 2.0.0 doesn't coredump for me, but it does give me the error

    ERROR: bad_snort_config.txt(501): unknown modifier "(null)"

-brian




More information about the Snort-devel mailing list