[Snort-users] React: block

Todd Wease twease at ...1935...
Mon Jun 25 17:29:01 EDT 2007


Pachulski, Keith wrote:
> Snort was compiled with --enable-gre, --enable-aruba, and
> --enable-flexresp
> 
> # snort -V 
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.6.1.5 (Build 59)  
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
> 
> # uname -av
> Linux monitor 2.6.9-42.0.10.EL #1 Tue Feb 27 09:24:42 EST 2007 i686 i686
> i386 GNU/Linux
> 
> When I try to run snort with the react: block
> 
> I get the following error
> 
> snort[6099]: FATAL ERROR: /home/snort/local.rules(8): SnortSnprintf
> failed 
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal
> sex"; content:"anal sex"; nocase; flow:to_client,established;
> classtype:kickass-porn; sid:1317; rev:5; react: block;)
> 
> So what am I doing wrong =)

You're not doing anything wrong.  It looks like we're not allocating the
NULL byte for the buffer that is passed to SnortSnprintf, so it is
returning a truncated result.  This should be fixed in the final Snort
2.7.0 (not the RC).

Thanks,
Todd




More information about the Snort-users mailing list