|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] Livelock with "nocase"
From: Martin Roesch (roesch
hiverworld.com)Date: Mon Mar 06 2000 - 14:30:48 CST
- Next message: Martin Roesch: "Re: [snort] New snort tool"
- Previous message: Martin Roesch: "[snort] Back home...."
- In reply to: Erich Meier: "[snort] Livelock with "nocase""
- Next in thread: Erich Meier: "Re: [snort] Livelock with "nocase""
- Reply: Martin Roesch: "Re: [snort] Livelock with "nocase""
- Reply: Erich Meier: "Re: [snort] Livelock with "nocase""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Do you have any core dumps? If so, can you backtrace the crash and let
us know what happened? (If you don't know how to backtrace, let me know
and I'll tell you!)
-Marty
Erich Meier wrote:
>
> Hi!
>
> The current version of snort (and all older versions with sp_pattern_match.c)
> seem to have a livelock problem with nocase matches. When processing rules like
>
> alert udp $EXTERNAL any -> $INTERNAL 53 (msg:"DNS-version-query"; content:"version|04|bind|0000 1000 03"; nocase;)
>
> snort seems to run in an endless cycle after a few minutes under heavy traffic.
> Does anyone here use the "nocase" modifier and have similar problems?
>
> Erich
> --
> Erich Meier Erich.Meierinformatik.uni-erlangen.de
> http://www4.informatik.uni-erlangen.de/~meier/
> Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."
-- Martin Roesch <roesch
- Next message: Martin Roesch: "Re: [snort] New snort tool"
- Previous message: Martin Roesch: "[snort] Back home...."
- In reply to: Erich Meier: "[snort] Livelock with "nocase""
- Next in thread: Erich Meier: "Re: [snort] Livelock with "nocase""
- Reply: Martin Roesch: "Re: [snort] Livelock with "nocase""
- Reply: Erich Meier: "Re: [snort] Livelock with "nocase""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]