[Snort-users] Snort 1.7 segfaults while parsing snort.org rules

Tobias von Koch tvk at ...1828...
Sat Apr 14 10:05:45 EDT 2001


hi,

today I updated to snort 1.7, but it has problems while parsing the rules
file.
I downloaded the standard snort.org rules some days ago (actually,
snort.org is down, so I cant check if there were any changes).

Here is the output of gdb:

#####################################################################
[root at ...1829... /root]# gdb /usr/local/bin/snort
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) run -A fast -c /etc/snort.conf -N
Starting program: /usr/local/bin/snort -A fast -c /etc/snort.conf -N

        --== Initializing Snort ==--

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

Program received signal SIGSEGV, Segmentation fault.
strcmp (p1=0x808f0f0 "activation", p2=0x0) at ../sysdeps/generic/strcmp.c:39
39      ../sysdeps/generic/strcmp.c: No such file or directory.
(gdb) bt
#0  strcmp (p1=0x808f0f0 "activation", p2=0x0) at ../sysdeps/generic/strcmp.c:39
#1  0x805c959 in ParseDeclaredRuleType (rule=0xbfffe5b8 "") at parser.c:299
#2  0x8051c63 in ParseRule (prule=0xbfffe9f8 "", inclevel=1) at rules.c:436
#3  0x80518eb in ParseRulesFile (file=0x808f7a0 "/etc/snortrules.conf", inclevel=1) at rules.c:144
#4  0x8051be8 in ParseRule (prule=0xbffff2c8 "include /etc/snortrules.conf", inclevel=0) at rules.c:382
#5  0x80518eb in ParseRulesFile (file=0x808597c "/etc/snort.conf", inclevel=0) at rules.c:144
#6  0x804aeaa in main (argc=6, argv=0xbffff7fc) at snort.c:258
#7  0x40138b5c in __libc_start_main (main=0x804abbc <main>, argc=6, ubp_av=0xbffff7fc, init=0x804a068 <_init>,     fini=0x80730bc <_fini>, rtld_fini=0x4000d634 <_dl_fini>, stack_end=0xbffff7f4) at ../sysdeps/generic/libc-start.c:129
(gdb) br parser.c:299
Breakpoint 1 at 0x805c949: file parser.c, line 299.
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/local/bin/snort -A fast -c /etc/snort.conf -N

        --== Initializing Snort ==--

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

Breakpoint 1, ParseDeclaredRuleType (rule=0xbfffe5b8 "") at parser.c:299
299             if(!strcmp(node->name, toks[0]))
(gdb) p node->name
$1 = 0x808f0f0 "activation"
(gdb) p toks[0]
$2 = 0x0
(gdb) quit

#################################################################

If you want to see my snortrules file, get it from:
	http://probiers.net/snortrules.conf

My snort.conf actually does nothing interesting, it just defines HOME_NET,
HTTP_SERVERS and so on, and includes the rules file.

greetings
tvk
-- 
Tobias v. Koch # Mail: tvk at ...1828...        # Linux is not better
    tvk        # WWW : http://probiers.net/     # than Windows! Or at
     @         # PGP : 0x3FE1548C, get it from  # least not for
   IRCNet      #       http://key.probiers.net/ # everyone.






More information about the Snort-users mailing list