[Snort-users] [Snort-admin] Re: Snort core dumped
dr at ...381...
Fri Jan 11 13:49:04 EST 2002
The snort distribution has a clearly labeled file called BUGS,
which outlines what information to gather in case of snort
crashes and where to send this infomation so that the
development team may look at it in a timely fashion.
At last check this file did not mention posts to Bugtraq or letters
to the editor in the NY Times or any other exotic communications
as appropriate ways to notify developers about bugs
so that they may examine and correct them. Some of the
development team had some more colorful commentary
about Mr. Sinbad's choice of notification channels, but
let's leave it described as "inappropriate". Posting directly
to Bugtraq without notifying the developers is poor form
and probably needlessly exposes the organizations that
use snort as a key piece of their network defensive strategy
to unnecessary risks.
Marty Roesch, the folks at Sourcefire (Marty's company),
and the snort developers around the world who volunteer
their time to the project are a very responsive team and
usually perfom excellently in the area of response time for
updates in comparison to other industry and open-source
projects. The Bugtraq post came to their attention in the
morning, and few hours later a fix was committed to CVS
by Marty. The patch to fix the minor error that caused the
crash is listed below for those that want to apply it
manually - as only one number needs to be changed
from 8 -> 4 to correct an oversight.
The project team, however, recommends that users upgrade
to the Build 90 CVS version of snort, as in the snort world the
CVS version usually represents the most stable and bugfree version
of snort available. The CVS version also contains some other minor
bug fixes incorporated since the relatively stable 1.8.3 release.
Instructions for accessing the CVS version can be found at
We respectfully suggest that this sort of situation be handled
in the future by following the instructions for reporting potential
defects outlined in the BUGS file that accompanies snort distributions.
[01/10 12:47:09] <roesch> here's the patch to fix the sinbad "crash"
--- olddecode.h Thu Jan 10 15:47:48 2002
+++ decode.h Thu Jan 10 12:15:33 2002
@@ -105,7 +105,7 @@
#define IP_HEADER_LEN 20
#define TCP_HEADER_LEN 20
#define UDP_HEADER_LEN 8
-#define ICMP_HEADER_LEN 8
+#define ICMP_HEADER_LEN 4
#define TH_FIN 0x01
#define TH_SYN 0x02
On Wed, 09 Jan 2002, Sinbad wrote:
> Run snort:
> # snort -dev host 192.168.0.3 and 192.168.0.1
> Ping 192.168.0.1 from 192.168.0.3 within one data in payload:
> # ping -c 1 -s 1 192.168.0.1
> Snort's output showed below:
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B
> 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF
> Type:8 Code:0 ID:9435 Seq:0 ECHO
> Segmentation fault (core dumped)
> hmm... core dumped!
> while with the '-X' option works well. :)
> Have you ever seen this happened?
CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com
More information about the Snort-users