[Snort-users] Segfault on fun funy rule

Erek Adams erek at ...950...
Wed Feb 25 22:24:06 EST 2004


[...comments inline...]

On Wed, 25 Feb 2004, Jason Monroe "JC" wrote:

> Downloaded 2.1.1 built it against Fedora Core 1
> pcre 4.4
> libpcap-0.7.2-7.1

[...snip...]

> Have rule in local.rules that causes breakage
>
> alert tcp any any -> any any (msg:"Telnet login as
> root";content:"root";nocase;flow:to_server:established;)
>
> I mistakenly typed a ":" instead of "," between the flow statement
>
> When I correct the rule snort is able to init correctly :)
> (the glass is half full)

Good. :)  Don't type that. :)

Your problem below isn't the same--It's different.

> I looked at the FAQ said DO GDB so here it is
> [root at ...11312... root]# gdb snort
> GNU gdb Red Hat Linux (5.3.90-0.20030710.41rh)

[...snip...]

> (gdb) run snort -T -v -c /etc/snort/snort.conf
> Starting program: /opt/snort/bin/snort snort -T -v -c
> /etc/snort/snort.conf
> Running in IDS mode
> Log directory = /var/log/snort
>
> Initializing Network Interface eth0
> ERROR: OpenPcap() FSM compilation failed:
>         syntax error
> PCAP command: snort
> Fatal Error, Quitting..
>
> Program exited with code 01.
> (gdb) where
> No stack.
> (gdb) bt
> No stack.

Makes perfect sense. :)

Instead of "run snort ...." try just "run <options>" without the word
'snort'.  Libpcap is seeing that and trying to interpret it as a BPF style
filter, hence the syntax error with OpenPcap.

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa




More information about the Snort-users mailing list