[Snort-devel] Fwd: Snort3: bug with "-z" when it only in config

Russ rucombs at cisco.com
Wed Nov 21 09:01:12 EST 2018


Hi Meridoff,

I'm not able to reproduce the exact issue you report but I did find a 
bug.  What version of Snort++ are you using?  Here is a summary of my 
findings:

1.  snort["-z"] = true is a misconfiguration and should not be expected 
to work under any circusmstances.

2.  snort = { "-z" = 2 } is invalid Lua.

3.  snort = { }; snort["-z"] = 2 is a valid configuration (number not 
boolean) and we will fix that bug.

Below is what I'm seeing with the latest.  Note that I'm using --lua for 
clarity but the same results hold if you put the command line Lua chunks 
directly in your snort.lua.

Thanks for reporting the issue.
Russ


$ ./snort -c snort.lua --lua 'snort["-z"] = true'
--------------------------------------------------
o")~   Snort++ 3.0.0-249
--------------------------------------------------
Loading snort.lua:
FATAL: can't init overrides: [string "require('snort_config'); 
snort["-z"] = true"]:1: attempt to index global 'snort' (a nil value)
Fatal Error, Quitting..

That makes sense, because the snort table is not defined.  Defining that 
causes Snort to hang:

$ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true'
--------------------------------------------------
o")~   Snort++ 3.0.0-249
--------------------------------------------------
Loading snort.lua:
     ssh
     pop
     binder
     stream_tcp
     gtp_inspect
     dce_http_proxy
     stream_icmp
     normalizer
     ftp_server
     stream_udp
     dce_smb
     snort
^C
o")~  caught int signal, exiting

That's the bug I mentioned.  Some command line switches trigger 
different modes and setting the default for --rule-to-text causes Snort 
to expect input on stdin.  Patching around that yields the expected 
error because -z takes a number not a boolean:

$ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true' | grep ERROR
ERROR: invalid snort.-z = 1

$ ./snort -? | grep "\-z"
-z <count> maximum number of packet threads (same as 
--max-packet-threads); 0 gets the number of CPU cores reported by the 
system; default is 1 (0:)

Changing to a valid value works as expected:

$ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = 2' | grep success
Snort successfully validated the configuration (with 0 warnings).

On 11/20/18 11:06 AM, Meridoff via Snort-devel wrote:
> not only accessing to  uninited but even unallocated array ,created in 
> PHClass constructor
>
> ---------- Forwarded message ---------
> From: *Meridoff* <oagvozd at gmail.com <mailto:oagvozd at gmail.com>>
> Date: вт, 20 нояб. 2018 г. в 19:03
> Subject: Snort3: bug with "-z" when it only in config
> To: <snort-devel at lists.snort.org <mailto:snort-devel at lists.snort.org>>
>
>
> Hello, when option -z (total instances) is given only in config 
> (snort["-z"]=true),
> then it equals to 1 (default ?) for some of 
> inspectors/plugins/modules, because they inited between parse_cmd_line 
> and parse_config (where -z lies).
>
> Due to this bug/feature for many instances we have access to uninted 
> array  p->pp_class.init[slot] in 
> function InspectorManager::thread_init (), when slot > 1 but this 
> array for some inspectors (appid ,telnet ,etc) has length 1 
> (see PHClass costructor).
>
> So we must duplicate "-z" in command line or do not use 
> snort["-z"]=true at all.
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181121/06963f7a/attachment.html>


More information about the Snort-devel mailing list