[Snort-devel] Snort 2.7 Segfaults w/bleeding-exploit
twease at ...402...
Wed Jul 25 20:32:42 EDT 2007
Bamm Visscher wrote:
> I was testing 2.7.0 (Build 35) today and ran into a couple of issues.
> The first is fairly simple.
> Initializing rule chains...
> ERROR: /etc/snort/rules/bleeding-dos.rules (79): Invalid ICMP icode in
> rule: >1<5
> Fatal Error, Quitting..
The correct syntax is
1<>5 /* between 1 and 5 */
I don't think that '>1<5' was ever valid syntax. It was just that Snort
syntax error checking didn't catch it as invalid and was probably doing
the wrong thing with it.
> The below thread on snort-sigs seems to address the issue, not sure
> when the change of syntax occurred
> [Snort-sigs] icode syntax (snort 2.7.0)
This post didn't escape html special chars like '<'. Disregard what you
> The next issue is a bit different.
> Program received signal SIGSEGV, Segmentation fault.
> 0x080bc81e in Stream5GetFlowData (p=0xbfe18e90) at spp_stream5.c:1277
> 1277 return (StreamFlowData *)ssn->flowdata->data;
Thanks for the heads up. We're looking into it.
> If I comment out bleeding-exploit.rules, everything works fine. Snort
> doesn't complain with -T either. I am getting ready to head out, so
> if anyone else can confirm the issue, that'd be great. Otherwise I'll
> try to track down what rule is triggering the issue when I can get
> some more time.
More information about the Snort-devel