tugwilson.co.uk

• Next message: Andrew R. Baker: "[snort] Closing -b log file"
• Previous message: Mullen, Patrick: "RE: [snort] Livelock with "nocase""
• In reply to: Erich Meier: "Re: [snort] Livelock with "nocase""
• Next in thread: Martin Roesch: "Re: [snort] Livelock with "nocase""
• Reply: John Wilson: "Re: [snort] Livelock with "nocase""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: Erich Meier <Erich.Meierinformatik.uni-erlangen.de>
To: <snortbofh.kyrnet.kg>
Sent: 06 March 2000 21:17
Subject: Re: [snort] Livelock with "nocase"

[snip]

> > Erich,
> >
> > do you get the problem with the this version of Snort without the
> > nocase option?
>
> No, without the nocase option, snort runs fine. I took a glance at the
> pattern matching code, but I could not find any very obvious loopholes.
>
> I compiled a snort version with SIGQUIT set to default and generated a
core
> dump during the livelock. My dbx was not able to find the proper line in
the
> code but the stack trace showed up the toupper() function.
>
> Maybe this helps a bit.

What platform are you using? The difference between case sensitive and case
insensitive pattern matching is very small (basically, there are some
toupper calls inserted into the code). I doubt that the problem lies in the
toupper() implementation (we probably have a shift of zero bytes because of
a bug in my code) but the more info we have the better.

John Wilson
The Wilson Partnership
5 Market Hill, Whitchurch, Aylesbury, Bucks HP22 4JB, UK
+44 1296 641072, +44 976 611010(mobile), +44 1296 641874(fax)
Mailto: tugwilson.co.uk

• Next message: Andrew R. Baker: "[snort] Closing -b log file"
• Previous message: Mullen, Patrick: "RE: [snort] Livelock with "nocase""
• In reply to: Erich Meier: "Re: [snort] Livelock with "nocase""
• Next in thread: Martin Roesch: "Re: [snort] Livelock with "nocase""
• Reply: John Wilson: "Re: [snort] Livelock with "nocase""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]