[Snort-users] RE: +AFs-Snort-users+AF0- Re: Core on FreeBSD

Robert D. Hughes rob at ...1932...
Mon Nov 5 09:43:01 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh... here's what confused me (from snort.conf comments):

# tcp stream reassembly directive
# no arguments loads the default configuration (clientonly, ports
default, 
# alerts on) 
^^^^^^^^^^^^^
That led me to believe that alerts on was a valid argument. But why does
it also core if I use "ports default"? I take it that also is not a
valid argument?

Thanks,
Rob

- -----Original Message-----
From: Martin Roesch [mailto:roesch at sourcefire.com]
Sent: Monday, November 05, 2001 8:57 AM
To: Snort-users (E-mail)
Subject: [Snort-users] Re: Core on FreeBSD


Ok, this quick answer is that "alerts on" isn't a valid option, so don't
use that.  The real problem is that I make a call to FatalError() in the
stream4 parsing code and I pass it a bad argument list, which I've now
fixed.  Look in the comment block above the stram4_reassemble directive
in snort.conf to see the valid options.

A fix has been committed to CVS.

     -MartyM3ln1bone


"Robert D. Hughes" wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> All,
> 
> When creating my snort.conf, I added the line "preprocessor
> stream4_reassemble: both, ports default, alerts on". This causes a
core
> dump on FreeBSD 4.4-STABLE. If I just use "preprocessor
> stream4_reassemble: both" it works. Using "preprocessor
> stream4_reassemble: both, ports 21 23 25 53 80 143 110 111 513 8880
2953
> 2954" also works. Is there a known issue where using "ports default"
> causes snort to core? This behavior also occurs if I use "ports all"
as
> is shown in the trace below.
> 
> Thanks,
> Rob Hughes
> Voice (H) (972) 918-0980
> Voice (C) (214) 282-7996
> Email rob at robhughes.com
> 
> #0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
> (gdb) where
> #0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
> #1  0x282a6ec4 in fprintf () from /usr/lib/libc.so.4
> #2  0x282a721a in vfprintf () from /usr/lib/libc.so.4
> #3  0x804dbbb in FatalError (format=0x808d560 "ERROR %s(%d) => Bad
> stream4_reassemble option specified: \"%s\"\n")
>     at snort.c:2808
> #4  0x807732f in Stream4InitReassembler (args=0x80ba400 "both, ports
> all, alerts on") at spp_stream4.c:885
> #5  0x8054966 in ParsePreprocessor (rule=0xbfbfd694 "preprocessor
> stream4_reassemble: both, ports all, alerts on")
>     at rules.c:1327
> #6  0x805417b in ParseRule (rule_file=0x282cc800,
>     prule=0xbfbff744 "preprocessor stream4_reassemble: both, ports
all,
> alerts on", inclevel=0) at rules.c:539
> #7  0x8053cd7 in ParseRulesFile (file=0x8097a78
> "/usr/local/etc/snort/snort.conf", inclevel=0) at rules.c:198
> #8  0x804b38a in main (argc=9, argv=0xbfbffbd8) at snort.c:335
> #9  0x804ae85 in _start ()
> (gdb) bt
> #0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
> #1  0x282a6ec4 in fprintf () from /usr/lib/libc.so.4
> #2  0x282a721a in vfprintf () from /usr/lib/libc.so.4
> #3  0x804dbbb in FatalError (format=0x808d560 "ERROR %s(%d) => Bad
> stream4_reassemble option specified: \"%s\"\n")
>     at snort.c:2808
> #4  0x807732f in Stream4InitReassembler (args=0x80ba400 "both, ports
> all, alerts on") at spp_stream4.c:885
> #5  0x8054966 in ParsePreprocessor (rule=0xbfbfd694 "preprocessor
> stream4_reassemble: both, ports all, alerts on")
>     at rules.c:1327
> #6  0x805417b in ParseRule (rule_file=0x282cc800,
>     prule=0xbfbff744 "preprocessor stream4_reassemble: both, ports
all,
> alerts on", inclevel=0) at rules.c:539
> #7  0x8053cd7 in ParseRulesFile (file=0x8097a78
> "/usr/local/etc/snort/snort.conf", inclevel=0) at rules.c:198
> #8  0x804b38a in main (argc=9, argv=0xbfbffbd8) at snort.c:335
> #9  0x804ae85 in _start ()
> 
> ___________________________________________
> 
> "Great spirits have always encountered violent opposition from
mediocre
> minds." -- Albert Einstein
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.4
> 
> iQA/AwUBO????????????????????
> b??????¦?
> =0Kjj
> -----END PGP SIGNATURE-----
> 
>
------------------------------------------------------------------------
>                          Name: PGPexch.htm.asc
>    PGPexch.htm.asc       Type: unspecified type
(application/octet-stream)
>                      Encoding: base64
>                   Description: PGPexch.htm.asc

- --
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at sourcefire.com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO+bPa+a2P6TrxG1EEQKTmgCfQc/vtvN2ufDSGcELrbcJcIagJ9IAn0r6
l68qlmDo64k4JlfcVp2LbmPT
=T70x
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGPexch.htm.asc
Type: application/octet-stream
Size: 3391 bytes
Desc: PGPexch.htm.asc
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011105/c17a159b/attachment.obj>


More information about the Snort-users mailing list