OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Livelock with "nocase"
From: Erich Meier (Erich.Meierinformatik.uni-erlangen.de)
Date: Mon Mar 06 2000 - 15:22:33 CST

On Mon, Mar 06, 2000 at 03:30:48PM -0500, Martin Roesch wrote:
> Do you have any core dumps? If so, can you backtrace the crash and let
> us know what happened? (If you don't know how to backtrace, let me know
> and I'll tell you!)

Not at home. I will look into this tomorrow afternoon (which is in 14 hours :-)
when I'm back in my office.

Until then,
Erich

> >
> > Hi!
> >
> > The current version of snort (and all older versions with sp_pattern_match.c)
> > seem to have a livelock problem with nocase matches. When processing rules like
> >
> > alert udp $EXTERNAL any -> $INTERNAL 53 (msg:"DNS-version-query"; content:"version|04|bind|0000 1000 03"; nocase;)
> >
> > snort seems to run in an endless cycle after a few minutes under heavy traffic.
> > Does anyone here use the "nocase" modifier and have similar problems?
> >
> > Erich
> > --
> > Erich Meier Erich.Meierinformatik.uni-erlangen.de
> > http://www4.informatik.uni-erlangen.de/~meier/
> > Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."
>
> --
> Martin Roesch <roeschhiverworld.com>
> Director of Forensic Systems http://www.hiverworld.com
> Hiverworld, Inc. Enterprise Network Security
> Network Forensics, Intrusion Detection and Risk Assessment 

-- 
Erich Meier                              Erich.Meierinformatik.uni-erlangen.de
                                 http://www4.informatik.uni-erlangen.de/~meier/
 Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."