[Snort-devel] Fwd: Snort3: bug with "-z" when it only in config

Russ rucombs at cisco.com
Fri Nov 23 06:55:52 EST 2018


This is fixed in the latest on github.

Thanks
Russ

On 11/23/18 6:10 AM, Meridoff wrote:
> I think I meant  snort = { ["-z"]=0 } (instead of =true)  if system 
> has many(8 in my cases CPUSs), or just  snort = { ["-z"]=8 .}.
>
>
> пт, 23 нояб. 2018 г. в 13:57, Meridoff <oagvozd at gmail.com 
> <mailto:oagvozd at gmail.com>>:
>
>
>     Hello,
>
>     ср, 21 нояб. 2018 г. в 17:03, Russ via Snort-devel
>     <snort-devel at lists.snort.org <mailto:snort-devel at lists.snort.org>>:
>
>         Hi Meridoff,
>
>         I'm not able to reproduce the exact issue you report but I did
>         find a bug.  What version of Snort++ are you using?  Here is a
>         summary of my findings:
>
>
>     Snort++ 3.0.0-247
>
>
>         1.  snort["-z"] = true is a misconfiguration and should not be
>         expected to work under any circusmstances.
>
>     Sorry, it was my misprint , I mean for example snort["-z"] = 2
>     (NUMBER )
>
>
>         2.  snort = { "-z" = 2 } is invalid Lua.
>
>         3.  snort = { }; snort["-z"] = 2 is a valid configuration
>         (number not boolean) and we will fix that bug.
>
>
>     Yes my messages is based under such config.
>
>
>         Below is what I'm seeing with the latest.  Note that I'm using
>         --lua for clarity but the same results hold if you put the
>         command line Lua chunks directly in your snort.lua.
>
>         Thanks for reporting the issue.
>         Russ
>
>
>         $ ./snort -c snort.lua --lua 'snort["-z"] = true'
>         --------------------------------------------------
>         o")~   Snort++ 3.0.0-249
>         --------------------------------------------------
>         Loading snort.lua:
>         FATAL: can't init overrides: [string "require('snort_config');
>         snort["-z"] = true"]:1: attempt to index global 'snort' (a nil
>         value)
>         Fatal Error, Quitting..
>
>         That makes sense, because the snort table is not defined. 
>         Defining that causes Snort to hang:
>
>         $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true'
>         --------------------------------------------------
>         o")~   Snort++ 3.0.0-249
>         --------------------------------------------------
>         Loading snort.lua:
>             ssh
>             pop
>             binder
>             stream_tcp
>             gtp_inspect
>             dce_http_proxy
>             stream_icmp
>             normalizer
>             ftp_server
>             stream_udp
>             dce_smb
>             snort
>         ^C
>         o")~  caught int signal, exiting
>
>         That's the bug I mentioned.  Some command line switches
>         trigger different modes and setting the default for
>         --rule-to-text causes Snort to expect input on stdin. 
>         Patching around that yields the expected error because -z
>         takes a number not a boolean:
>
>         $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true'
>         | grep ERROR
>         ERROR: invalid snort.-z = 1
>
>         $ ./snort -? | grep "\-z"
>         -z <count> maximum number of packet threads (same as
>         --max-packet-threads); 0 gets the number of CPU cores reported
>         by the system; default is 1 (0:)
>
>         Changing to a valid value works as expected:
>
>         $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = 2' |
>         grep success
>         Snort successfully validated the configuration (with 0 warnings).
>
>         On 11/20/18 11:06 AM, Meridoff via Snort-devel wrote:
>>         not only accessing to  uninited but even unallocated array
>>         ,created in PHClass constructor
>>
>>         ---------- Forwarded message ---------
>>         From: *Meridoff* <oagvozd at gmail.com <mailto:oagvozd at gmail.com>>
>>         Date: вт, 20 нояб. 2018 г. в 19:03
>>         Subject: Snort3: bug with "-z" when it only in config
>>         To: <snort-devel at lists.snort.org
>>         <mailto:snort-devel at lists.snort.org>>
>>
>>
>>         Hello, when option -z (total instances) is given only in
>>         config (snort["-z"]=true),
>>         then it equals to 1 (default ?) for some of
>>         inspectors/plugins/modules, because they inited between
>>         parse_cmd_line and parse_config (where -z lies).
>>
>>         Due to this bug/feature for many instances we have access to
>>         uninted array  p->pp_class.init[slot] in
>>         function InspectorManager::thread_init (), when slot > 1 but
>>         this array for some inspectors (appid ,telnet ,etc) has
>>         length 1 (see PHClass costructor).
>>
>>         So we must duplicate "-z" in command line or do not use
>>         snort["-z"]=true at all.
>>
>>
>>         _______________________________________________
>>         Snort-devel mailing list
>>         Snort-devel at lists.snort.org <mailto:Snort-devel at lists.snort.org>
>>         https://lists.snort.org/mailman/listinfo/snort-devel
>>
>>         Please visithttp://blog.snort.org  for the latest news about Snort!
>
>         _______________________________________________
>         Snort-devel mailing list
>         Snort-devel at lists.snort.org <mailto:Snort-devel at lists.snort.org>
>         https://lists.snort.org/mailman/listinfo/snort-devel
>
>         Please visit http://blog.snort.org for the latest news about
>         Snort!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181123/bc2b6466/attachment.html>


More information about the Snort-devel mailing list