OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Livelock with "nocase"
From: Erich Meier (Erich.Meierinformatik.uni-erlangen.de)
Date: Mon Mar 06 2000 - 15:17:37 CST

> > Hi!
> >
> > The current version of snort (and all older versions with
> sp_pattern_match.c)
> > seem to have a livelock problem with nocase matches. When processing rules
> like
> >
> > alert udp $EXTERNAL any -> $INTERNAL 53 (msg:"DNS-version-query";
> content:"version|04|bind|0000 1000 03"; nocase;)
> >
> > snort seems to run in an endless cycle after a few minutes under heavy
> traffic.
> > Does anyone here use the "nocase" modifier and have similar problems?
>
> Erich,
>
> do you get the problem with the this version of Snort without the
> nocase option?

No, without the nocase option, snort runs fine. I took a glance at the
pattern matching code, but I could not find any very obvious loopholes.

I compiled a snort version with SIGQUIT set to default and generated a core
dump during the livelock. My dbx was not able to find the proper line in the
code but the stack trace showed up the toupper() function.

Maybe this helps a bit.

Regards,
Erich