[Snort-devel] Bug in snort - no resolve

Martin Olsson elof at ...969...
Tue Dec 6 03:15:34 EST 2005


Oct 17 I reported this problem for snort v2.4.2. (see below)
A few minutes ago I downloaded the current CVS snapshot of snort and
tested it. It too have this problem:

...
...
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

X-Link2State Config:
    Ports: 25 691
ERROR: ERROR ../rules/bad-traffic.rules(12): Couldn't resolve hostname
195.178.169.0
Fatal Error, Quitting..


Could you please rewrite the resolver part of the parser code so that
snort can run on a system with absolutely no resolving support?
(my snort is running in a very stripped down environment)

/Martin

======================================================================

Date: 17 Oct 2005 16:24:01 +0200 (CEST)
Subject: [Snort-devel] Bug in snort v2.4.2 - no resolve


I have a stand-alone FreeBSD system running snort for years.
Now I tried to upgrade snort to 2.4.2 and it fails.

With the default snort.conf and rules, snort exit with the following
errormessage:

 couldn't resolve hostname: 232.0.0.0

This address/network comes from sid:1431 in bad_traffic.rules.


After some debugging I found out that it is because I have disabled "bind"
from /etc/host.conf (nsswitch.conf in linux), and I don't want to enable
it.
If I temporarily enable both "hosts" and "bind" in /etc/host.conf, snort
2.4.2 start without any problem.


Have you done something wrong with the resolver function in snort 2.4?
IMHO, snort should proceed even if I have disabled "bind" and only use the
hosts file.

Oh, and BTW, why is snort trying to resolv multicast addresses in the
first place?

/Martin Olsson





More information about the Snort-devel mailing list