[Snort-devel] snort crash on misconfig'd snort.conf

Marc Norton mnorton at ...402...
Thu Mar 16 11:50:01 EST 2006


Thanks, I will pass this info along to the right people here.

Thomas Washeim wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello *,
>testing snort I realized that it can crash if it finds a preprocessor
>rule that looks like this:
>
>'preprocessor
>flow'
>
>(without the ticks of course). I know that this is not a correct rule
>but I find it quite inconvinient that snort crashes hard with a SIGSEGV.
>I attached a patch for snort 2.4.4 and one for 2.6 that I co'd from the
>current cvs tree.
>The patch also contains a suggestion how to make xlink2state/dynamic
>preprocessor smtp less greedy with memory (it uses an array of 65536 int
>values for the port configuration which is quite wasteful, it can do
>with a 32th of that).
>Please note that for 2.4.x the mini preprocessor xlink2state is one int
>short for the port list, so port 65535 cannot be activated reliably!
>
>Thomas
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFEEsg62/ggQBUI/skRAh62AJ9ks2J6/An7Y0IzsDUHnITg2kb0XACeKiQA
>Qg667DHauFUOyEFCyljzKQg=
>=2LPh
>-----END PGP SIGNATURE-----
>  
>


-- 
Marc Norton      Snort Team Lead
Sourcefire,Inc   410-423-1924
www.snort.org    www.sourcefire.com 





More information about the Snort-devel mailing list