Snort mailing list archives
Bug of Snort run on windows 10: Snort can not start successfully
From: Hongchun Li via Snort-devel <snort-devel () lists snort org>
Date: Mon, 14 Oct 2019 12:44:08 -0500
Hi Dear Developers.
Attached patch is my fix based on version 2.9.15 with the command of diff
-u orig new > parseru.patch
could you please check the patch and apply the patch to your code? I hope
you can have this fix in your release especially in windows version package.
Best Regards,
Hongchun
Hi Dear,
I got a bug of snort of windows version when start on window 10.
- The version of Snort: snort-2.9.14.1
- Information on the rules enabled: Snort start failed, not relate to
rules.
- How Snort was built: I downloaded the installation package of
Snort_2_9_14_1_Installer.exe from snort.org and just install it.
- Your configuration files (snort.conf, *.rules, threshold.conf, etc.)
- Platform information: OS and hardware (Windows 10, Intel 64bit)
- [image: snort_cmd.png]
*More information:*
Sometimes, snort just report ERROR:...... Failed to parse the IP address:
8.0.0.0/8.0.0.0.
Analysis. that is because the winpcap driver return the wrong networkmask,
and snort did not check if this networkmask is valid or not,
*Bug fix:*
In file parser.c, just add all the red code like following.
/****************************************************************************
*
* Function : IsNetmaskValid()
* Purpose : Check if a network mask value if valid
* Arguments : mask ipv4 network mask
* Returns : 1 for valid, 0 for invalid
*
****************************************************************************/
*static int IsNetmaskValid(bpf_u_int32 mask){ if (mask == 0) return 0;
if (mask & (~mask >> 1)) { return 0; } else { return 1;
}}*
/****************************************************************************
*
* Function : DefineAllIfaceVars()
* Purpose : Find all up interfaces and define iface_ADDRESS vars for them
* Arguments : none
* Returns : void function
*
****************************************************************************/
static void DefineAllIfaceVars(SnortConfig *sc)
{
/* Cache retrieved devs so if user is running with dropped privs and
* does a reload, we can use previous values */
static int num_vars = 0;
/* Should be more than enough to cover the number of
* interfaces on a machine */
static iface_var_t iface_vars[IFACE_VARS_MAX];
if (num_vars > 0)
{
int i;
for (i = 0; i < num_vars; i++)
{
DefineIfaceVar(sc, iface_vars[i].name,
(uint8_t *)&iface_vars[i].net,
(uint8_t *)&iface_vars[i].netmask);
}
}
else
{
char errbuf[PCAP_ERRBUF_SIZE];
pcap_if_t *alldevs;
pcap_if_t *dev;
bpf_u_int32 net, netmask;
#ifdef WIN32
int i = 1;
#endif
if (pcap_findalldevs(&alldevs, errbuf) == -1)
return;
for (dev = alldevs; dev != NULL; dev = dev->next)
{
if (pcap_lookupnet(dev->name, &net, &netmask, errbuf) == 0 &&
IsNetmaskValid(netmask) == 1)
{
*Could you please add this bug fix and build a window installation package
for me? I am using the windows version for some important testing these
days.*
*Or could you please provide me a document on how to build the code for
windows version? I see there are visual studio project files like .dsw .dsp
are using the old development kit. I tried to build it and finally failed
after many tries. *
--
Best regards,
Hongchun
--
Best regards,
Hongchun
Attachment:
parseru.patch
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bug of Snort run on windows 10: Snort can not start successfully Hongchun Li via Snort-devel (Oct 14)