[Snort-devel] Snort3: bug with "-z" when it only in config

Tom Peters (thopeter) thopeter at cisco.com
Tue Nov 20 11:53:03 EST 2018


Really good find. Thanks for reporting this.

We will investigate and fix the problem.


From: Snort-devel <snort-devel-bounces at lists.snort.org<mailto:snort-devel-bounces at lists.snort.org>> on behalf of Meridoff via Snort-devel <snort-devel at lists.snort.org<mailto:snort-devel at lists.snort.org>>
Reply-To: Meridoff <oagvozd at gmail.com<mailto:oagvozd at gmail.com>>
Date: Tuesday, November 20, 2018 at 11:03 AM
To: "snort-devel at lists.snort.org<mailto:snort-devel at lists.snort.org>" <snort-devel at lists.snort.org<mailto:snort-devel at lists.snort.org>>
Subject: [Snort-devel] Snort3: bug with "-z" when it only in config

Hello, when option -z (total instances) is given only in config (snort["-z"]=true),
then it equals to 1 (default ?) for some of inspectors/plugins/modules, because they inited between parse_cmd_line and parse_config (where -z lies).

Due to this bug/feature for many instances we have access to uninted array  p->pp_class.init[slot] in function InspectorManager::thread_init (), when slot > 1 but this array for some inspectors (appid ,telnet ,etc) has length 1 (see PHClass costructor).

So we must duplicate "-z" in command line or do not use snort["-z"]=true at all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181120/c211ccb8/attachment.html>

More information about the Snort-devel mailing list