[Snort-users] [Snort-admin] Re: Snort core dumped

Dragos Ruiu dr at ...381...
Fri Jan 11 13:49:04 EST 2002


The snort distribution has a clearly labeled file called BUGS,
which outlines what information to gather in case of snort 
crashes and where to send this infomation so that the 
development team may look at it in a timely fashion.

At last check this file did not mention posts to Bugtraq or letters
to the editor in the NY Times or any other exotic communications
as appropriate ways to notify developers about bugs 
so that they may examine and correct them.  Some of the 
development team had some more colorful commentary 
about Mr. Sinbad's choice of notification channels, but 
let's leave it described as "inappropriate".  Posting directly 
to Bugtraq without notifying the developers is poor form 
and probably needlessly exposes the organizations that 
use snort as a key piece of their network defensive strategy 
to unnecessary risks.

Marty Roesch, the folks at Sourcefire (Marty's company), 
and the snort developers around the world who volunteer
their time to the project are a very responsive team and 
usually perfom excellently in the area of response time for 
updates in comparison to other industry and open-source 
projects. The Bugtraq post came to their attention in the 
morning, and few hours later a fix was committed to CVS 
by Marty.  The patch to fix the minor error that caused the 
crash is listed below for those that want to apply it 
manually - as only one number needs to be changed 
from 8 -> 4 to correct an oversight.  

The project team, however, recommends that users upgrade 
to the Build 90 CVS version of snort, as in the snort world the
CVS version usually represents the most stable and bugfree version 
of snort available. The CVS version also contains some other minor
bug fixes incorporated since the relatively stable 1.8.3 release.

Instructions for accessing the CVS version can be found at 
http://www.snort.org

We respectfully suggest that this sort of situation be handled 
in the future by following the instructions for reporting potential 
defects outlined in the BUGS file that accompanies snort distributions.  
Thank you.

[01/10 12:47:09] <roesch> here's the patch to fix the sinbad "crash"

--- olddecode.h Thu Jan 10 15:47:48 2002
+++ decode.h    Thu Jan 10 12:15:33 2002
@@ -105,7 +105,7 @@
 #define IP_HEADER_LEN           20
 #define TCP_HEADER_LEN          20
 #define UDP_HEADER_LEN          8
-#define ICMP_HEADER_LEN         8
+#define ICMP_HEADER_LEN         4
 
 #define TH_FIN  0x01
 #define TH_SYN  0x02


On Wed, 09 Jan 2002, Sinbad wrote:
> Run snort:
> # snort -dev host 192.168.0.3 and 192.168.0.1 
> 
> Ping 192.168.0.1 from 192.168.0.3 within one data in payload:
> # ping -c 1 -s 1 192.168.0.1
> 
> Snort's output showed below:
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B
> 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF
> Type:8  Code:0  ID:9435   Seq:0  ECHO
> Segmentation fault (core dumped)
> 
> hmm... core dumped!
> 
> while with the '-X' option works well. :)
> 
> Have you ever seen this happened?
> 
> 
> Regards,
> Sinbad

-- 
--dr                    http://dragos.com/dr-dursec.asc
        CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com




More information about the Snort-users mailing list