[Snort-devel] Snort 2.7 Segfaults w/bleeding-exploit

Todd Wease twease at ...402...
Wed Jul 25 20:32:42 EDT 2007

Bamm Visscher wrote:
> I was testing 2.7.0 (Build 35) today and ran into a couple of issues.
> The first is fairly simple.
> Initializing rule chains...
> ERROR: /etc/snort/rules/bleeding-dos.rules (79): Invalid ICMP icode in
> rule: >1<5
> Fatal Error, Quitting..

The correct syntax is

1<>5     /* between 1 and 5 */

I don't think that '>1<5' was ever valid syntax.  It was just that Snort
syntax error checking didn't catch it as invalid and was probably doing
the wrong thing with it.

> The below thread on snort-sigs seems to address the issue, not sure
> when the change of syntax occurred
> [Snort-sigs] icode syntax (snort 2.7.0)
> (http://archive.netbsd.se/?ml=snort-sigs&a=2007-07&m=4728221)

This post didn't escape html special chars like '<'.  Disregard what you

> The next issue is a bit different.
> Program received signal SIGSEGV, Segmentation fault.
> 0x080bc81e in Stream5GetFlowData (p=0xbfe18e90) at spp_stream5.c:1277
> 1277        return (StreamFlowData *)ssn->flowdata->data;

Thanks for the heads up.  We're looking into it.

> If I comment out bleeding-exploit.rules, everything works fine. Snort
> doesn't complain with -T either.  I am getting ready to head out, so
> if anyone else can confirm the issue, that'd be great. Otherwise I'll
> try to track down what rule is triggering the issue when I can get
> some more time.
> Bammkkkk

More information about the Snort-devel mailing list