[Snort-devel] Snort 2.8.5 Beta Now Available

Todd Wease twease at ...402...
Thu May 14 11:59:18 EDT 2009

Thanks for the report rmkml.  Snort is crashing because the function
that parses the within keyword is not checking for NULL arguments and
then dereferencing a NULL pointer.  As long as you supply a value to the
within keyword this shouldn't happen.  We'll open a bug for this since
Snort shouldn't segfault but fail gracefully.  The reason 2.8.4 doesn't
segfault is because and empty string was being passed in instead of NULL
and the code wasn't checking the argument for no value and the within
was being set to 0 via a strtol call which we probably should have been
checking start_ptr == end_ptr and fail since no digits were actually

rmkml wrote:
> Hi,
> First, Congratulations SF team for this new version!
> Im found a segfault with this new version with this rule:
>  alert tcp any any -> any any (msg:"snort v2.8.5 beta SegFault";
> content:"test"; within:; nocase; sid:987654321; rev:1;)
> Yes, within keyword don't have value! and snort crash with nocasei
> keyword...
> look my very simple snort.conf:
>  dynamicpreprocessor directory
> dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
>  dynamicengine dynamic-plugins/sf_engine/.libs/libsf_engine.so
>  preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
> and sid 987654321 of course!
> Please add my pseudo to Credits file and my company: Crusoe Researches.
> Happy Detect (snort,bro,azwalaro)
> Regards
> Rmkml
> Crusoe-Researches.com
> On Thu, 14 May 2009, Snort Releases wrote:
>> A beta version of Snort 2.8.5 is now available on snort.org, at
>> http://www.snort.org/dl/
>> Snort 2.8.5 introduces:
>> - Ability to specify multiple configurations (snort.conf and everything
>>  it includes), bound either by Vlan ID or IP Address.  This allows you
>>  to run one instance of Snort with multiple snort.conf, rather than
>>  having separate processes.
>> - Continued inspection of traffic while reloading a configuration.
>>  Add --enable-reload option to your configure script prior to building.
>> - Rate Based Attack prevention for Connection Attempts, Concurrent
>>  Connections, and improved rule/event filtering.  See README.filters
>>  for details.
>> - SSH preprocessor (no longer experimental)
>> - Performance improvements in various places
>> Please see the Release Notes and ChangeLog for more details.
>> Please submit bugs, questions, and feedback to
>> snort-beta at ...2780...
>> Happy Snorting!
>> The Snort Release Team

More information about the Snort-devel mailing list