[Snort-devel] [Bleeding-sigs] Snort 2.7 Segfaults w/bleeding-exploit

Matt Jonkman jonkman at ...2939...
Wed Jul 25 19:42:31 EDT 2007

I'm disabling the rule for now. The manual still has the old syntax, so
we'll have to get more info.

It's an old rule, so not a huge deal. I'll keep it disabled and note
this in the file until we have a better solution.

Glad you mentioned it Bamm!


Bamm Visscher wrote:
> I was testing 2.7.0 (Build 35) today and ran into a couple of issues.
> The first is fairly simple.
> Initializing rule chains...
> ERROR: /etc/snort/rules/bleeding-dos.rules (79): Invalid ICMP icode in
> rule: >1<5
> Fatal Error, Quitting..
> The below thread on snort-sigs seems to address the issue, not sure
> when the change of syntax occurred
> [Snort-sigs] icode syntax (snort 2.7.0)
> (http://archive.netbsd.se/?ml=snort-sigs&a=2007-07&m=4728221)
> The next issue is a bit different.
> Program received signal SIGSEGV, Segmentation fault.
> 0x080bc81e in Stream5GetFlowData (p=0xbfe18e90) at spp_stream5.c:1277
> 1277        return (StreamFlowData *)ssn->flowdata->data;
> If I comment out bleeding-exploit.rules, everything works fine. Snort
> doesn't complain with -T either.  I am getting ready to head out, so
> if anyone else can confirm the issue, that'd be great. Otherwise I'll
> try to track down what rule is triggering the issue when I can get
> some more time.
> Bammkkkk

Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026

PGP: http://www.bleedingthreats.com/mattjonkman.asc

More information about the Snort-devel mailing list