[Snort-devel] Fwd: Snort3: bug with "-z" when it only in config

Meridoff oagvozd at gmail.com
Sat Nov 24 13:17:31 EST 2018


Awesome, thanks for the update!

пт, 23 нояб. 2018 г. в 14:55, Russ <rucombs at cisco.com>:

> This is fixed in the latest on github.
>
> Thanks
> Russ
>
> On 11/23/18 6:10 AM, Meridoff wrote:
>
> I think I meant  snort = { ["-z"]=0 } (instead of =true)  if system has
> many(8 in my cases CPUSs), or just  snort = { ["-z"]=8 .}.
>
>
> пт, 23 нояб. 2018 г. в 13:57, Meridoff <oagvozd at gmail.com>:
>
>>
>> Hello,
>>
>> ср, 21 нояб. 2018 г. в 17:03, Russ via Snort-devel <
>> snort-devel at lists.snort.org>:
>>
>>> Hi Meridoff,
>>>
>>> I'm not able to reproduce the exact issue you report but I did find a
>>> bug.  What version of Snort++ are you using?  Here is a summary of my
>>> findings:
>>>
>>
>> Snort++ 3.0.0-247
>>
>>
>>>
>>> 1.  snort["-z"] = true is a misconfiguration and should not be expected
>>> to work under any circusmstances.
>>>
>>
>> Sorry, it was my misprint , I mean for example snort["-z"] = 2 (NUMBER )
>>
>>>
>>> 2.  snort = { "-z" = 2 } is invalid Lua.
>>>
>>> 3.  snort = { }; snort["-z"] = 2 is a valid configuration (number not
>>> boolean) and we will fix that bug.
>>>
>>
>> Yes my messages is based under such config.
>>
>>
>>>
>>> Below is what I'm seeing with the latest.  Note that I'm using --lua for
>>> clarity but the same results hold if you put the command line Lua chunks
>>> directly in your snort.lua.
>>>
>>> Thanks for reporting the issue.
>>> Russ
>>>
>>>
>>> $ ./snort -c snort.lua --lua 'snort["-z"] = true'
>>> --------------------------------------------------
>>> o")~   Snort++ 3.0.0-249
>>> --------------------------------------------------
>>> Loading snort.lua:
>>> FATAL: can't init overrides: [string "require('snort_config');
>>> snort["-z"] = true"]:1: attempt to index global 'snort' (a nil value)
>>> Fatal Error, Quitting..
>>>
>>> That makes sense, because the snort table is not defined.  Defining that
>>> causes Snort to hang:
>>>
>>> $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true'
>>> --------------------------------------------------
>>> o")~   Snort++ 3.0.0-249
>>> --------------------------------------------------
>>> Loading snort.lua:
>>>     ssh
>>>     pop
>>>     binder
>>>     stream_tcp
>>>     gtp_inspect
>>>     dce_http_proxy
>>>     stream_icmp
>>>     normalizer
>>>     ftp_server
>>>     stream_udp
>>>     dce_smb
>>>     snort
>>> ^C
>>> o")~  caught int signal, exiting
>>>
>>> That's the bug I mentioned.  Some command line switches trigger
>>> different modes and setting the default for --rule-to-text causes Snort to
>>> expect input on stdin.  Patching around that yields the expected error
>>> because -z takes a number not a boolean:
>>>
>>> $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true' | grep
>>> ERROR
>>> ERROR: invalid snort.-z = 1
>>>
>>> $ ./snort -? | grep "\-z"
>>> -z <count> maximum number of packet threads (same as
>>> --max-packet-threads); 0 gets the number of CPU cores reported by the
>>> system; default is 1 (0:)
>>>
>>> Changing to a valid value works as expected:
>>>
>>> $ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = 2' | grep
>>> success
>>> Snort successfully validated the configuration (with 0 warnings).
>>>
>>> On 11/20/18 11:06 AM, Meridoff via Snort-devel wrote:
>>>
>>> not only accessing to  uninited but even unallocated array ,created in
>>> PHClass constructor
>>>
>>> ---------- Forwarded message ---------
>>> From: Meridoff <oagvozd at gmail.com>
>>> Date: вт, 20 нояб. 2018 г. в 19:03
>>> Subject: Snort3: bug with "-z" when it only in config
>>> To: <snort-devel at lists.snort.org>
>>>
>>>
>>> Hello, when option -z (total instances) is given only in config
>>> (snort["-z"]=true),
>>> then it equals to 1 (default ?) for some of inspectors/plugins/modules,
>>> because they inited between parse_cmd_line and parse_config (where -z lies).
>>>
>>> Due to this bug/feature for many instances we have access to uninted
>>> array  p->pp_class.init[slot] in function InspectorManager::thread_init (),
>>> when slot > 1 but this array for some inspectors (appid ,telnet ,etc) has
>>> length 1 (see PHClass costructor).
>>>
>>> So we must duplicate "-z" in command line or do not use snort["-z"]=true
>>> at all.
>>>
>>>
>>> _______________________________________________
>>> Snort-devel mailing listSnort-devel at lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>>
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.snort.org
>>> https://lists.snort.org/mailman/listinfo/snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181124/7a87e69d/attachment.html>


More information about the Snort-devel mailing list