I think I meant  snort = { ["-z"]=0 } (instead of =true)  if system has many(8 in my cases CPUSs), or just  snort = { ["-z"]=8 .}. 


пт, 23 нояб. 2018 г. в 13:57, Meridoff <oagvozd@gmail.com>:

Hello,

ср, 21 нояб. 2018 г. в 17:03, Russ via Snort-devel <snort-devel@lists.snort.org>:
Hi Meridoff,

I'm not able to reproduce the exact issue you report but I did find a bug.  What version of Snort++ are you using?  Here is a summary of my findings:

Snort++ 3.0.0-247
 

1.  snort["-z"] = true is a misconfiguration and should not be expected to work under any circusmstances.
 
Sorry, it was my misprint , I mean for example snort["-z"] = 2 (NUMBER )

2.  snort = { "-z" = 2 } is invalid Lua.

3.  snort = { }; snort["-z"] = 2 is a valid configuration (number not boolean) and we will fix that bug.

Yes my messages is based under such config.
 

Below is what I'm seeing with the latest.  Note that I'm using --lua for clarity but the same results hold if you put the command line Lua chunks directly in your snort.lua.

Thanks for reporting the issue.
Russ


$ ./snort -c snort.lua --lua 'snort["-z"] = true'
--------------------------------------------------
o")~   Snort++ 3.0.0-249
--------------------------------------------------
Loading snort.lua:
FATAL: can't init overrides: [string "require('snort_config'); snort["-z"] = true"]:1: attempt to index global 'snort' (a nil value)
Fatal Error, Quitting..

That makes sense, because the snort table is not defined.  Defining that causes Snort to hang:

$ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true'
--------------------------------------------------
o")~   Snort++ 3.0.0-249
--------------------------------------------------
Loading snort.lua:
    ssh
    pop
    binder
    stream_tcp
    gtp_inspect
    dce_http_proxy
    stream_icmp
    normalizer
    ftp_server
    stream_udp
    dce_smb
    snort
^C
o")~  caught int signal, exiting

That's the bug I mentioned.  Some command line switches trigger different modes and setting the default for --rule-to-text causes Snort to expect input on stdin.  Patching around that yields the expected error because -z takes a number not a boolean:

$ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = true' | grep ERROR
ERROR: invalid snort.-z = 1

$ ./snort -? | grep "\-z"
-z <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)

Changing to a valid value works as expected:

$ ./snort -c snort.lua --lua 'snort = { }; snort["-z"] = 2' | grep success
Snort successfully validated the configuration (with 0 warnings).

On 11/20/18 11:06 AM, Meridoff via Snort-devel wrote:
not only accessing to  uninited but even unallocated array ,created in PHClass constructor

---------- Forwarded message ---------
From: Meridoff <oagvozd@gmail.com>
Date: вт, 20 нояб. 2018 г. в 19:03
Subject: Snort3: bug with "-z" when it only in config
To: <snort-devel@lists.snort.org>


Hello, when option -z (total instances) is given only in config (snort["-z"]=true), 
then it equals to 1 (default ?) for some of inspectors/plugins/modules, because they inited between parse_cmd_line and parse_config (where -z lies).

Due to this bug/feature for many instances we have access to uninted array  p->pp_class.init[slot] in function InspectorManager::thread_init (), when slot > 1 but this array for some inspectors (appid ,telnet ,etc) has length 1 (see PHClass costructor).

So we must duplicate "-z" in command line or do not use snort["-z"]=true at all.


_______________________________________________
Snort-devel mailing list
Snort-devel@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!