[Snort-users] Segfault on fun funy rule

Jason Monroe "JC" monroe at ...5738...
Wed Feb 25 20:36:05 EST 2004


Hello Everybody,

Downloaded 2.1.1 built it against Fedora Core 1 
pcre 4.4 
libpcap-0.7.2-7.1

[root at ...11312... root]# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.3.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--host=i386-redhat-linux
Thread model: posix
gcc version 3.3.2 20031022 (Red Hat Linux 3.3.2-1)


Have rule in local.rules that causes breakage 

alert tcp any any -> any any (msg:"Telnet login as
root";content:"root";nocase;flow:to_server:established;)

I mistakenly typed a ":" instead of "," between the flow statement 

When I correct the rule snort is able to init correctly :) 
(the glass is half full)


[root at ...11312... root]# /opt/snort/bin/snort -T -v -c /etc/snort/snort.conf
.... sparing details

telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Segmentation fault



I looked at the FAQ said DO GDB so here it is 
[root at ...11312... root]# gdb snort
GNU gdb Red Hat Linux (5.3.90-0.20030710.41rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host
libthread_db library "/lib/tls/libthread_db.so.1".
 
(gdb) run snort -T -v -c /etc/snort/snort.conf
Starting program: /opt/snort/bin/snort snort -T -v -c
/etc/snort/snort.conf
Running in IDS mode
Log directory = /var/log/snort
 
Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
        syntax error
PCAP command: snort
Fatal Error, Quitting..
 
Program exited with code 01.
(gdb) where
No stack.
(gdb) bt
No stack.







More information about the Snort-users mailing list