[Snort-devel] ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase)

Martijn van Oosterhout kleptog at ...2499...
Fri Jun 13 04:22:51 EDT 2014


On 12 June 2014 11:31, Martijn van Oosterhout <kleptog at ...2499...> wrote:

> On 11 June 2014 19:17, Joel Esler (jesler) <jesler at ...3461...> wrote:
>
>>  On Jun 11, 2014, at 12:01 PM, Martijn van Oosterhout <kleptog at ...3054....>
>> wrote:
>>
>> Snort version: 2.9.6.0, but appears to affect older versions as well
>>
>>  I have to ask…  Did you replicate it with the current shipping version?
>>  2.9.6.1?
>>
>>
>>
> Fails there too. Attached are two typescript outputs for two successive
> runs on 2.9.6.1, using a pristine tarball from the website built with
> ./configure --enable-debug. The only difference between the two runs is the
> comment symbol in the snort.conf. As to why Nicholas can't reproduce it, I
> don't know. I've included the md5sums of the config files to see if there
> are other possibilities.
>
> I also checked with strace that it was loading the correct config files.
>
>
>
Ok, I've tested on every version on the git repo
https://github.com/jasonish/snort in an attempt to bisect it, but it's
broken even in the oldest version there. So I've tested it on:

2.9.3.1
2.9.4
2.9.4.1
2.9.4.5
2.9.4.6
2.9.5
2.9.5.3
2.9.5.5
2.9.5.6
2.9.6.0
2.9.6.1

And it's reproducible on all of them. Anyone else having any luck?

Hope this helps,
-- 
Martijn van Oosterhout <kleptog at ...2499...> http://svana.org/kleptog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140613/b5c1505f/attachment.html>


More information about the Snort-devel mailing list