[Snort-devel] snort243b26 segfault (because config error)

Jason security at ...1585...
Sat Nov 19 11:35:01 EST 2005


Looks like a Null pointer because the option is not properly terminated.
You need to fix the rule so the option is correctly terminated.

Place this code at line 144 of src/detection-plugins/sp_ip_proto.c if
you want snort to bail with a message.

    if ( data == NULL )
    {
            FatalError("%s(%d) => Bad ip_proto option ( did you forget
the ;)\n",
                    file_name, file_line);
    };




rmkml wrote:
> possible reply on list please ?
> 
> 
> On Sat, 19 Nov 2005, rmkml wrote:
> 
>> Date: Sat, 19 Nov 2005 17:13:00 +0100 (CET)
>> From: rmkml <rmkml at ...879...>
>> To: Jason <security at ...1585...>
>> Subject: Re: [Snort-devel] snort243b26 segfault (because config error)
>>
>> Hi Jason,
>>
>> you have added ";" ... (please check with my rules)
>>
>> Regards
>> Rmkml
>>
>>
>> On Sat, 19 Nov 2005, Jason wrote:
>>
>>> Date: Sat, 19 Nov 2005 12:02:57 -0500
>>> From: Jason <security at ...1585...>
>>> To: rmkml <rmkml at ...879...>
>>> Cc: snort-devel at lists.sourceforge.net
>>> Subject: Re: [Snort-devel] snort243b26 segfault (because config error)
>>>
>>> on 2.4.3 with a rule of
>>>
>>> alert ip any any -> any any (msg:"segfault"; ip_proto:..; content:"00";)
>>>
>>> I get this error on start.
>>>
>>> ERROR: ./snort.conf(1) => Bad protocol name ".."
>>> Fatal Error, Quitting..
>>>
>>> What version of snort and what are the vars? reference doc/BUGS for how
>>> to report bugs.
>>>
>>>
>>> rmkml wrote:
>>>
>>>> Hi,
>>>>
>>>> I add this rule :
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"segfault";
>>>> ip_proto:..
>>>> content:"00"; )
>>>>
>>>> and snort reply :
>>>> Segmentation fault
>>>>
>>>> Regards
>>>> Rmkml
>>>>
>>>>
>>>> -------------------------------------------------------
>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>>> Register for a JBoss Training Course.  Free Certification Exam
>>>> for All Training Attendees Through End of 2005. For more info visit:
>>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>> Register for a JBoss Training Course.  Free Certification Exam
>>> for All Training Attendees Through End of 2005. For more info visit:
>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>
> 




More information about the Snort-devel mailing list