[Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)

Matt Jonkman jonkman at ...4024...
Wed Jan 16 11:52:27 EST 2008


Ya, that was a script error that gave the empty ip list. Was fixed
immediately after, should be good to go now.

Matt

James Lay wrote:
> On 1/15/08 9:15 AM, "Andreas Maus" <maus at ...13999...> wrote:
> 
>> Hi list!
>>
>> After an upgrade of the bleedingedge ruleset I discovered that
>> Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule.
>>
>> This rule can be found in bleeding-botcc.rules. There is only
>> on rule so finding that rule was easy ;)
>>
>> The offending rule is:
>>
>> alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot C&C Server
>> Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type
>> limit, track by_src, seconds 3600, count
>> :trojan-activity; sid:2404000; rev:1026;)
>>
>> I guess it is the "-> []" part that triggers the core dump
>> (I will also post a mail to the appropiate mailinglist - snort-sigs ?
>> about this).
>>
>> Anyway I don't think it is the desired behavior to just SIGSEGV.
>> An error will be o.k.
>>
>> The outout from snort was:
>>
>> Running in Test mode with config file: /etc/snort/snort.conf
>> Running in IDS mode
> 
> 
> I saw the same thing...oinkmaster runs at 6 AM here, and it couldn't hit
> snort.org, so I killed the process...on two boxes snort would seg fault.  I
> reran oinkmaster at 6:38, and could connect and the problem went away.  I
> suspect the rules was fixed then.
> 
> James
> 
> 
>>         --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file /etc/snort/snort.conf
>> PortVar 'HTTP_PORTS' defined :  [ 80]
>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535]
>> PortVar 'ORACLE_PORTS' defined :  [ 1521]
>> -------------------------------------------------
>>  Keyword     |       Preprocessor @
>> -------------------------------------------------
>> rpc_decode   :       0x45f6fe
>> bo           :       0x45e7aa
>> stream4      :       0x4612d2
>> stream4_reassemble:       0x462ab8
>> stream4_external:       0x462457
>> arpspoof     :       0x45daf5
>> arpspoof_detect_host:       0x45dc46
>> http_inspect :       0x4796a2
>> http_inspect_server:       0x4796a2
>> PerfMonitor  :       0x471b42
>> flow         :       0x47d90e
>> flow-portscan:       0x48d955
>> sfportscan   :       0x4809cc
>> frag3_global :       0x4811d2
>> frag3_engine :       0x48130f
>> stream5_global:       0x488594
>> stream5_tcp  :       0x488fbd
>> stream5_udp  :       0x489034
>> stream5_icmp :       0x4890ab
>> -------------------------------------------------
>>
>> -------------------------------------------------
>>  Keyword     |      Plugin Registered @
>> -------------------------------------------------
>> content      :      0x4521af
>> offset       :      0x452616
>> depth        :      0x45278d
>> nocase       :      0x452927
>> rawbytes     :      0x4529f9
>> uricontent   :      0x452281
>> http_client_body:      0x45235e
>> http_uri     :      0x4524ba
>> distance     :      0x452aae
>> within       :      0x452c3c
>> replace      :      0x45075b
>> flags        :      0x455433
>> itype        :      0x44e943
>> icode        :      0x44de9f
>> ttl          :      0x4560bf
>> id           :      0x44f8df
>> ack          :      0x455223
>> seq          :      0x455c17
>> dsize        :      0x44d86b
>> ipopts       :      0x450277
>> rpc          :      0x454223
>> icmp_id      :      0x44e4b3
>> icmp_seq     :      0x44e6fb
>> session      :      0x4549d3
>> tos          :      0x44ffd3
>> fragbits     :      0x44ef53
>> fragoffset   :      0x44f542
>> window       :      0x455dfe
>> ip_proto     :      0x44facf
>> sameip       :      0x44fe0b
>> flow         :      0x4567ea
>> byte_test    :      0x456f0b
>> byte_jump    :      0x45790b
>> isdataat     :      0x458e8f
>> pcre         :      0x4582f2
>> flowbits     :      0x45941a
>> asn1         :      0x45a27f
>> ftpbounce    :      0x45a8db
>> urilen       :      0x45adea
>> -------------------------------------------------
>>
>> -------------------------------------------------
>>  Keyword     |          Output @
>> -------------------------------------------------
>> alert_syslog :       0x440aa3
>> log_tcpdump  :       0x44732f
>> database     :       0x442f3b
>> alert_fast   :       0x43fcfb
>> alert_full   :       0x44049b
>> alert_unixsock:       0x4417e3
>> alert_CSV    :       0x441dd3
>> log_null     :       0x447247
>> log_unified  :       0x4499be
>> alert_unified:       0x449667
>> unified      :       0x447bcf
>> log_unified2 :       0x44b80a
>> alert_unified2:       0x44b77f
>> unified2     :       0x44a643
>> log_ascii    :       0x44b8e7
>> alert_sf_socket:       0x44c53f
>> alert_sf_socket_sid:       0x44c883
>> alert_test   :       0x44d0fb
>> -------------------------------------------------
>>
>> Detection:
>>    Search-Method = Low-Mem
>> ,-----------[Flow Config]----------------------
>> | Stats Interval:  0
>> | Hash Method:     2
>> | Memcap:          10485760
>> | Rows  :          4096
>> | Overhead Bytes:  32776(%0.31)
>> `----------------------------------------------
>> Frag3 global config:
>>     Max frags: 65536
>>     Fragment memory cap: 4194304 bytes
>> Frag3 engine config:
>>     Target-based policy: FIRST
>>     Fragment timeout: 60 seconds
>>     Fragment min_ttl:   1
>>     Fragment ttl_limit: 5
>>     Fragment Problems: 1
>> Stream4 config:
>>     Stateful inspection: ACTIVE
>>     Session statistics: INACTIVE
>>     Session timeout: 30 seconds
>>     Session memory cap: 8388608 bytes
>>     Session count max: 8192 sessions
>>     Session cleanup count: 5
>>     State alerts: INACTIVE
>>     Evasion alerts: INACTIVE
>>     Scan alerts: INACTIVE
>>     Log Flushed Streams: INACTIVE
>>     MinTTL: 1
>>     TTL Limit: 5
>>     Async Link: 0
>>     State Protection: 0
>>     Self preservation threshold: 50
>>     Self preservation period: 90
>>     Suspend threshold: 200
>>     Suspend period: 30
>>     Enforce TCP State: INACTIVE
>>     Midstream Drop Alerts: INACTIVE
>>     Allow Blocking of TCP Sessions in Inline: ACTIVE
>> WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using
>> old static flushpoints (0)
>> Stream4_reassemble config:
>>     Server reassembly: INACTIVE
>>     Client reassembly: ACTIVE
>>     Reassembler alerts: ACTIVE
>>     Zero out flushed packets: INACTIVE
>>     Flush stream on alert: INACTIVE
>>     flush_data_diff_size: 500
>>     Reassembler Packet Preferance : Favor Old
>>     Packet Sequence Overlap Limit: -1
>>     Flush behavior: Small (<255 bytes)
>>     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
>> 3306 
>>     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
>> 1433 1521 3306 
>> PerfMonitor config:
>>     Time:           300 seconds
>>     Flow Stats:     INACTIVE
>>     Event Stats:    INACTIVE
>>     Max Perf Stats: INACTIVE
>>     Console Mode:   INACTIVE
>>     File Mode:      /var/log/snort/snort.stats
>>     SnortFile Mode: INACTIVE
>>     Packet Count:   10000
>>     Dump Summary:   No
>> HttpInspect Config:
>>     GLOBAL CONFIG
>>       Max Pipeline Requests:    0
>>       Inspection Type:          STATELESS
>>       Detect Proxy Usage:       NO
>>       IIS Unicode Map Filename: /etc/snort/unicode.map
>>       IIS Unicode Map Codepage: 1252
>>     DEFAULT SERVER CONFIG:
>>       Server profile: All
>>       Ports: 80 8080 8180
>>       Flow Depth: 300
>>       Max Chunk Length: 500000
>>       Inspect Pipeline Requests: YES
>>       URI Discovery Strict Mode: NO
>>       Allow Proxy Usage: NO
>>       Disable Alerting: NO
>>       Oversize Dir Length: 500
>>       Only inspect URI: NO
>>       Ascii: YES alert: NO
>>       Double Decoding: YES alert: YES
>>       %U Encoding: YES alert: YES
>>       Bare Byte: YES alert: YES
>>       Base36: OFF
>>       UTF 8: OFF
>>       IIS Unicode: YES alert: YES
>>       Multiple Slash: YES alert: NO
>>       IIS Backslash: YES alert: NO
>>       Directory Traversal: YES alert: NO
>>       Web Root Traversal: YES alert: YES
>>       Apache WhiteSpace: YES alert: NO
>>       IIS Delimiter: YES alert: NO
>>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>       Non-RFC Compliant Characters: NONE
>>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>> rpc_decode arguments:
>>     Ports to decode RPC on: 111 32771
>>     alert_fragments: INACTIVE
>>     alert_large_fragments: ACTIVE
>>     alert_incomplete: ACTIVE
>>     alert_multiple_requests: ACTIVE
>> Portscan Detection Config:
>>     Detect Protocols:  TCP UDP ICMP IP
>>     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
>>     Sensitivity Level: Medium
>>     Memcap (in bytes): 10000000
>>     Number of Nodes:   31347
>>     Ignore Scanner IP List:
>>         213.146.114.84 / 255.255.255.255
>>         88.198.22.244 / 255.255.255.255
>>
>> PortVar 'SSH_PORTS' defined :  [ 22]
>> Tagged Packet Limit: 256
>> Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>> done
>> Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/...
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.s
>> o... done
>>   Finished Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/
>> FTPTelnet Config:
>>     GLOBAL CONFIG
>>       Inspection Type: stateful
>>       Check for Encrypted Traffic: YES alert: YES
>>       Continue to check encrypted data: NO
>>     TELNET CONFIG:
>>       Ports: 23 
>>       Are You There Threshold: 200
>>       Normalize: YES
>>       Detect Anomalies: NO
>>     FTP CONFIG:
>>       FTP Server: default
>>         Ports: 21
>>         Check for Telnet Cmds: YES alert: YES
>>         Identify open data channels: YES
>>       FTP Client: default
>>         Check for Bounce Attacks: YES alert: YES
>>         Check for Telnet Cmds: YES alert: YES
>>         Max Response Length: 256
>>
>> SMTP Config:
>>     Ports: 25 
>>     Inspection Type: Stateful
>>     Normalize: EXPN RCPT VRFY
>>     Ignore Data: No
>>     Ignore TLS Data: No
>>     Ignore SMTP Alerts: No
>>     Max Command Line Length: Unlimited
>>     Max Specific Command Line Length:
>>        ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
>>        RCPT:300 VRFY:255
>>     Max Header Line Length: Unlimited
>>     Max Response Line Length: Unlimited
>>     X-Link2State Alert: Yes
>>     Drop on X-Link2State Alert: No
>>     Alert on commands: None
>>
>> DCE/RPC Decoder config:
>>     Autodetect ports ENABLED
>>     SMB fragmentation ENABLED
>>     DCE/RPC fragmentation ENABLED
>>     Max Frag Size: 3000 bytes
>>     Memcap: 100000 KB
>>     Alert if memcap exceeded DISABLED
>>
>> DNS config: 
>>     DNS Client rdata txt Overflow Alert: ACTIVE
>>     Obsolete DNS RR Types Alert: INACTIVE
>>     Experimental DNS RR Types Alert: INACTIVE
>>     Ports: 53
>>
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Initializing rule chains...
>> Segmentation fault (core dumped)
>>
>> The backtrace is from the core file is:
>>
>> debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort  core
>> GNU gdb 6.4.90-debian
>> Copyright (C) 2006 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you are
>> welcome to change it and/or distribute copies of it under certain conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB.  Type "show warranty" for details.
>> This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db
>> library "/lib/libthread_db.so.1".
>>
>> Reading symbols from /usr/lib/libmysqlclient.so.14...done.
>> Loaded symbols for /usr/lib/libmysqlclient.so.14
>> Reading symbols from /lib/libcrypt.so.1...done.
>> Loaded symbols for /lib/libcrypt.so.1
>> Reading symbols from /usr/lib/libz.so.1...done.
>> Loaded symbols for /usr/lib/libz.so.1
>> Reading symbols from /usr/lib/libpcre.so.3...done.
>> Loaded symbols for /usr/lib/libpcre.so.3
>> Reading symbols from /usr/lib/libpcap.so.0.8...done.
>> Loaded symbols for /usr/lib/libpcap.so.0.8
>> Reading symbols from /lib/libm.so.6...done.
>> Loaded symbols for /lib/libm.so.6
>> Reading symbols from /lib/libnsl.so.1...done.
>> Loaded symbols for /lib/libnsl.so.1
>> Reading symbols from /lib/libdl.so.2...done.
>> Loaded symbols for /lib/libdl.so.2
>> Reading symbols from /usr/lib/libnet.so.0...done.
>> Loaded symbols for /usr/lib/libnet.so.0
>> Reading symbols from /lib/libc.so.6...done.
>> Loaded symbols for /lib/libc.so.6
>> Reading symbols from /lib/ld-linux-x86-64.so.2...done.
>> Loaded symbols for /lib64/ld-linux-x86-64.so.2
>> Reading symbols from /lib/libnss_files.so.2...done.
>> Loaded symbols for /lib/libnss_files.so.2
>> Reading symbols from
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...done.
>> Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
>> ...done.
>> Loaded symbols for
>>
> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.s>
> o
>> Core was generated by `/usr/local/bin/snort -p -u snort -g snort -b -i eth0 -l
>> /var/log/snort -c /etc/'.
>> Program terminated with signal 11, Segmentation fault.
>> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
>> parser.c:1556
>> 1556        if(!addrset->iplist || !addrset->neg_iplist)
>> (gdb) bt
>> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
>> parser.c:1556
>> #1  0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
>>     prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
>> DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_src, se
>> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
>> #2  0x0000000000415bda in ParseRulesFile (file=0x40dd840
>> "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
>> parser.c:732
>> #3  0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70
>> "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at
>> parser.c:1749
>> #4  0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0
>> "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
>> #5  0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
>> snort.c:913
>> #6  0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388
>> (gdb) bt full
>> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
>> parser.c:1556
>>         idx = (IpAddrNode *) 0x0
>>         neg_idx = (IpAddrNode *) 0x0
>> #1  0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
>>     prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
>> DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_src, se
>> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
>>         toks = (char **) 0x404ac50
>>         num_toks = 10
>>         rule_type = 2
>>         protocol = 2048
>>         tmp = 0x100000000 <Address 0x100000000 out of bounds>
>>         proto_node = {rule_func = 0x0, head_node_number = 0, type = 2, sip =
>> 0x40b9d20, dip = 0x0, proto = 2048, src_portobject = 0x12f3430, dst_portobject
>> = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0,
>>   not_dp_flag = 0, hdp = 0, ldp = 0, flags = 4, active_flag = 0,
>> activation_counter = 0, countdown = 0, activate_list = 0x0, right = 0x0, down
>> = 0x0, listhead = 0x0}
>>         node = (RuleListNode *) 0x12d91c0
>>         rule = 0x40df030 "alert ip $HOME_NET any -> [] any
>> (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_sr
>> 600, count 1; clas"...
>>         preprocessor_rule = 0
>> #2  0x0000000000415bda in ParseRulesFile (file=0x40dd840
>> "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
>> parser.c:732
>>         thefp = (FILE *) 0x12edb30
>>         index = 0x1377c90 "alert ip $HOME_NET any -> [] any
>> (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_s
>> 3600, count 1; clas"...
>>         stored_file_name = 0x12ef640 "/etc/snort/snort.conf"
>>         stored_file_line = 1025
>>         saved_line = 0x0
>>         continuation = 0
>>         new_line = 0x0
>>         file_stat = {st_dev = 2050, st_ino = 8127365, st_nlink = 1, st_mode =
>> 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 2257,
>> st_blksize = 4096, st_blocks = 8, st_atim = {
>>     tv_sec = 1200413549, tv_nsec = 311419820}, st_mtim = {tv_sec = 1200413430,
>> tv_nsec = 165384706}, st_ctim = {tv_sec = 1200413430, tv_nsec = 173383232},
>> __unused = {0, 0, 0}}
>>         rule = 0x1367c80 ""
>>         buf = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
>> DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_src
>> 00, count 1; clas"...
>> #3  0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70
>> "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at
>> parser.c:1749
>>         toks = (char **) 0x40e03a0
>>         num_toks = 2
>>         rule_type = 4
>>         protocol = 0
>>         tmp = 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules"
>>         proto_node = {rule_func = 0x0, head_node_number = 0, type = 0, sip =
>> 0x0, dip = 0x0, proto = 0, src_portobject = 0x0, dst_portobject = 0x0,
>> not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0
>>   ldp = 0, flags = 0, active_flag = 0, activation_counter = 0, countdown = 0,
>> activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0}
>>         node = (RuleListNode *) 0x12d91c0
>>         rule = 0x40b96c0 "include /etc/snort/rules/bleeding-botcc.rules"
>>         preprocessor_rule = 0
>> #4  0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0
>> "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
>>         thefp = (FILE *) 0x12ed8f0
>>         index = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
>>         stored_file_name = 0x0
>>         stored_file_line = 0
>>         saved_line = 0x0
>>         continuation = 0
>>         new_line = 0x0
>>         file_stat = {st_dev = 2050, st_ino = 8127287, st_nlink = 1, st_mode =
>> 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 41827,
>> st_blksize = 4096, st_blocks = 88, st_atim = {
>>     tv_sec = 1200413549, tv_nsec = 329416502}, st_mtim = {tv_sec = 1200404707,
>> tv_nsec = 503702715}, st_ctim = {tv_sec = 1200404707, tv_nsec = 512701056},
>> __unused = {0, 0, 0}}
>>         rule = 0x1346e60 ""
>>         buf = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
>> #5  0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
>> snort.c:913
>>         set = {__val = {0 <repeats 16 times>}}
>> #6  0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388
>> No locals.
>> (gdb) quit
>>
>> Despite fixing the rule, is there a known workaround ?
>>
>> Maybe this issue will be fixed in 2.8.0.2 ;)
>>
>> So long,
>>
>> Andreas.
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-users mailing list