[Snort-devel] Fwd: Snort3: bug with "-z" when it only in config

Meridoff oagvozd at gmail.com
Fri Nov 23 05:57:33 EST 2018


Hello,

ср, 21 нояб. 2018 г. в 17:03, Russ via Snort-devel <
snort-devel at lists.snort.org>:

> Hi Meridoff,
>
> I'm not able to reproduce the exact issue you report but I did find a
> bug.  What version of Snort++ are you using?  Here is a summary of my
> findings:
>

Snort++ 3.0.0-247


>
> 1.  snort["-z"] = true is a misconfiguration and should not be expected to
> work under any circusmstances.
>

Sorry, it was my misprint , I mean for example snort["-z"] = 2 (NUMBER )

>
> 2.  snort = { "-z" = 2 } is invalid Lua.
>
> 3.  snort = { }; snort["-z"] = 2 is a valid configuration (number not
> boolean) and we will fix that bug.
>

Yes my messages is based under such config.


>
> Below is what I'm seeing with the latest.  Note that I'm using --lua for
> clarity but the same results hold if you put the command line Lua chunks
> directly in your snort.lua.
>
> Thanks for reporting the issue.
> Russ
>
>
> $ ./snort -c snort.lua --lua 'snort["-z"] = true'
> --------------------------------------------------
> o")~   Snort++ 3.0.0-249
> --------------------------------------------------
> Loading snort.lua:
> FATAL: can't init overrides: [string "require('snort_config'); snort["-z"]
> = true"]:1: attempt to index global 'snort' (a nil value)
> Fatal Error, Quitting..
>
> That makes sense, because the snort table is not defined.  Defining that
> causes Snort to hang:
>
> $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true'
> --------------------------------------------------
> o")~   Snort++ 3.0.0-249
> --------------------------------------------------
> Loading snort.lua:
>     ssh
>     pop
>     binder
>     stream_tcp
>     gtp_inspect
>     dce_http_proxy
>     stream_icmp
>     normalizer
>     ftp_server
>     stream_udp
>     dce_smb
>     snort
> ^C
> o")~  caught int signal, exiting
>
> That's the bug I mentioned.  Some command line switches trigger different
> modes and setting the default for --rule-to-text causes Snort to expect
> input on stdin.  Patching around that yields the expected error because -z
> takes a number not a boolean:
>
> $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true' | grep ERROR
> ERROR: invalid snort.-z = 1
>
> $ ./snort -? | grep "\-z"
> -z <count> maximum number of packet threads (same as
> --max-packet-threads); 0 gets the number of CPU cores reported by the
> system; default is 1 (0:)
>
> Changing to a valid value works as expected:
>
> $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = 2' | grep success
> Snort successfully validated the configuration (with 0 warnings).
>
> On 11/20/18 11:06 AM, Meridoff via Snort-devel wrote:
>
> not only accessing to  uninited but even unallocated array ,created in
> PHClass constructor
>
> ---------- Forwarded message ---------
> From: Meridoff <oagvozd at gmail.com>
> Date: вт, 20 нояб. 2018 г. в 19:03
> Subject: Snort3: bug with "-z" when it only in config
> To: <snort-devel at lists.snort.org>
>
>
> Hello, when option -z (total instances) is given only in config
> (snort["-z"]=true),
> then it equals to 1 (default ?) for some of inspectors/plugins/modules,
> because they inited between parse_cmd_line and parse_config (where -z lies).
>
> Due to this bug/feature for many instances we have access to uninted array
>  p->pp_class.init[slot] in function InspectorManager::thread_init (), when
> slot > 1 but this array for some inspectors (appid ,telnet ,etc) has length
> 1 (see PHClass costructor).
>
> So we must duplicate "-z" in command line or do not use snort["-z"]=true
> at all.
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel at lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181123/acb2fc0c/attachment.html>


More information about the Snort-devel mailing list