[Snort-devel] Signature Error Fix and CVS HEAD

Daniel J. Roelker droelker at ...402...
Mon Jan 5 13:24:00 EST 2004


Happy New Year.

Thanks to everyone that pointed out the signature error they were
finding.  And special thanks to Andreas Ostling for verifying the patch
with his reproducible test case.  This fix has been checked into CVS in
the HEAD branch.  So for the latest fixes please grab them from there.

By the way, please checkout from HEAD to verify any problems you've been
having (like Solaris compilation which was checked into HEAD two weeks
ago).  After we know the patches in HEAD fix the 2.1 problems and they
are stable, we'll merge back into the SNORT_2_1 branch.

Dan

On Sat, 2004-01-03 at 09:32, Chris Keladis wrote:
> Hi Andreas,
> 
> [Firstly sorry for the new thread. I read your message on the web-archives 
> and only recently subscribed to snort-dev so i didn't have a local copy of 
> your message to reply to..]
> 
> I've also noticed this in Snort 2.1.0 and have been looking at the code in gdb.
> 
> To add some information to the pot, i found when in fpAddEvent() (just 
> before the final return) and examining pmi->MatchArray[], i noticed there 
> are 2 matched events, one an ICMP message and the other an "MS-SQL Worm 
> propagation attempt" alert.
> 
> An example:
> 
> (gdb) print pmi->MatchArray[0]->otn->sigInfo->message
> $18 = 0x85d1888 "ICMP Destination Unreachable (Communication 
> Administratively Prohibited)"
> (gdb) print pmi->MatchArray[1]->otn->sigInfo->message
> $19 = 0x85c7cc0 "MS-SQL Worm propagation attempt"
> 
> Examining the 'Packet * p' structure the packet is definitely an ICMP message.
> 
> I don't have a pcap capture of the problem (but could make one if 
> necessary). It's reproducible just by watching regular traffic in my case.
> 
> I see "MS-SQL Worm propagation attempt" alerts for TCP and ICMP packets 
> when the rule clearly should only match UDP packets.
> 
> Hope it helps shed some light..
> 
> 
> 
> 
> Cheers,
> 
> Chris.
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-devel mailing list