[Snort-users] Bug in Snort v1.7, 1.6.3pr2?

Paul Ritchey pritchey at ...1172...
Fri Jan 19 08:11:23 EST 2001

Hello All:

Over the last few days Snort has been logging alerts in the following format:

[**] Snort Alert! [**]01/19-11:25:39.068139 <mac addresses removed> type:0x800 len:0x3C

As you can see, the above message line in the alert file contains not only the alert message, but also the mac address and two additional fields.  (They should be broken into two lines.)  After trying to figure out what rule was causing this, I came across the following code in log.c:

void AlertFull(Packet *p, char *msg, FILE *file)
    char timestamp[23];

    if (msg != NULL)
        fwrite("[**] ", 5, 1, file);
        fwrite(msg, strlen(msg), 1, file);
        fwrite(" [**]\n", 6, 1, file);
        fwrite("[**] Snort Alert! [**]", 22, 1, file);

If you examine the line for the fwrite of the 'Snort Alert' text in the 'else' statement, you'll discover that the '\n' linefeed character is missing.  This doesn't cause a problem for Snort, but does cause a problem for SnortSnarf since it expects the alert message text to be on a line by itself.  (SnortSnarf doesn't crash/bomb out, but the outputted html is a little corrupted.)

This bug appears to be in both 1.6.3 patch release 2 and version 1.7 that's downloadable from the snort.org site.  I do not know if this exists in the CVS code.

Correct me if I'm wrong, but I suggest altering that single line of code to the following:

      fwrite("[**] Snort Alert! [**]\n", 23, 1, file);

Now for a question:  Why is Snort not seeing an msg message in the rules file?  I'm using the latest rules file.  I've done a grep for lines not containing the text 'msg', and the only lines are the commented out ones or empty lines.  Snort did complain about one of the empty lines as if there was a hidden character that it couldn't deal with during startup.   Deleteing the line made Snort happy again.  So I'm wondering if the file I have is corrupted somehow (but not enough to cause it to complain).....anyone else seen this behavior before?

Paul R.

More information about the Snort-users mailing list