[Snort-devel] Snort 1.8beta3 (Build 12) hangs - traces & more info

william.c.gercken at ...350... william.c.gercken at ...350...
Wed Apr 25 12:31:54 EDT 2001



Here is some additional information from another hang.

Notes:

1. The packet payload contains garbage (encrypted data or normal?).
2. The packet payload size is much larger than the packet payload
(dsize=1052, is this normal?).


Thanks.

==

PreprocFunction (p=0xbffff450) at spp_telnet_negotiation.c:160
160                 DebugMessage(DEBUG_PLUGIN, "Checking: %c\n",
*read_ptr);
(gdb) bt
#0  PreprocFunction (p=0xbffff450) at spp_telnet_negotiation.c:160
#1  0x8055202 in Preprocess (p=0xbffff450) at rules.c:3260
#2  0x804b17f in ProcessPacket (user=0x0, pkthdr=0xbffff900, pkt=0x80a63da
"")
    at snort.c:500
#3  0x807197e in pcap_read ()
#4  0x8071f4f in pcap_loop ()
#5  0x804c3e3 in InterfaceThread (arg=0x0) at snort.c:1376
#6  0x804b04f in main (argc=10, argv=0xbffffaa4) at snort.c:434
#7  0x40158b65 in __libc_start_main (main=0x804aa0c <main>, argc=10,
    ubp_av=0xbffffaa4, init=0x8049f2c <_init>, fini=0x8078e3c <_fini>,
    rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffffa9c)
    at ../sysdeps/generic/libc-start.c:111

(gdb) print *read_ptr
$1 = -16 'ð'
(gdb) print read_ptr
$2 = 0x80a6906 "ðú\024\210\226)$\221L«\220*¸
(\003\236 at ...395...\231ÌÌ4\221?k&K/Íé3-)¤êÃQ
¯\211\b°\236\025\221h·\223iÍz§£\rgHD÷ù\207\223gªõ¦;ÑHÞT\027¿òÉ\021MD\032ɶ
º/ÒeΨ
\227UyôuUu\237èÛy2\200.ªßÛc\227­\020l¢\215\203\031_M%\235\215Ä)ªX°\e!
\215È°1éã÷\
b&+c´p\025ÃÇ\213\227$-RÅ\222ÀÕö\221íó\226Ò°ÎÿM§«\017A»
-É9\013\bÄ\a\n²zÂPÃ'àqÂ\20
2\215/ö\236G)\nl"

(gdb) print p
$13 = (Packet *) 0xbffff450
(gdb) print *p
$14 = {pkth = 0xbffff900, pkt = 0x80a63da "", fddihdr = 0x0, fddisaps =
0x0,
  fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
  trhmr = 0x0, sllh = 0x0, eh = 0x80a63da, vh = 0x0, ehllc = 0x0,
  ehllcother = 0x0, ah = 0x0, iph = 0x80a63e8, orig_iph = 0x0,
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x80a63fc,
  orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
  orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
  data = 0x80a6410 ">¥ÅÉ\037ù^)\210\207ì9ñßü²ÎÃgÊq\\©?\200", dsize = 1052,
  frag_flag = 0 '\000', frag_offset = 0, mf = 0 '\000', df = 1 '\001',
  rf = 0 '\000', sp = 14230, dp = 21, orig_sp = 0, orig_dp = 0, caplen = 0,
  URI = {uri = 0x0, length = 0}, ip_options = {{code = 0 '\000', len = 0,
      data = 0x0} <repeats 40 times>}, ip_option_count = 0,
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
  tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', wire_packet = 0 '
\000'}

(gdb) up
#1  0x8055202 in Preprocess (p=0xbffff450) at rules.c:3260
3260            idx->func(p);
(gdb) up
#2  0x804b17f in ProcessPacket (user=0x0, pkthdr=0xbffff900, pkt=0x80a63da
"")
    at snort.c:500
500             Preprocess(&p);
(gdb) print *p.iph
$29 = {ip_hlen = 5 '\005', ip_ver = 4 '\004', ip_tos = 0 '\000',
  ip_len = 56325, ip_id = 4406, ip_off = 64, ip_ttl = 125 '}',
  ip_proto = 6 '\006', ip_csum = 12165, ip_src = {s_addr = 42959252},
  ip_dst = {s_addr = 844178888}}

(gdb) up
#3  0x807197e in pcap_read ()
(gdb) up
#4  0x8071f4f in pcap_loop ()
(gdb) up
#5  0x804c3e3 in InterfaceThread (arg=0x0) at snort.c:1376
1376        if(pcap_loop(pds[myint], pv.pkt_cnt, (pcap_handler)
ProcessPacket, N
ULL) < 0)
(gdb) print pv
$32 = {test_mode_flag = 0, alert_interface_flag = 0,
  verbose_bytedump_flag = 0, obfuscation_flag = 0, log_cmd_override = 1,
  alert_cmd_override = 0, char_data_flag = 0, data_flag = 1, verbose_flag
= 0,
  showarp_flag = 0, showipv6_flag = 0, showipx_flag = 0, readmode_flag = 0,
  logbin_flag = 1, log_flag = 1, nolog_flag = 0, show2hdr_flag = 0,
  syslog_flag = 0, promisc_flag = 1, rules_order_flag = 0, smbmsg_flag = 0,
  track_flag = 0, daemon_flag = 1, quiet_flag = 1, fake_packet_flag = 0,
  pkt_cnt = -1, pkt_snaplen = 0, homenet = 0, netmask = 0, use_rules = 1,
  alert_mode = 1, log_plugin_active = 0, alert_plugin_active = 0,
  pid_filename = "/var/run//snort_eth1.pid", '\000' <repeats 999 times>,
  config_file = "snort.conf", '\000' <repeats 1013 times>,
  config_dir = "./", '\000' <repeats 1021 times>,
  log_dir = "/var/log/snort2", '\000' <repeats 1008 times>,
  readfile = '\000' <repeats 1023 times>,
  smbmsg_dir = '\000' <repeats 1023 times>,
  pid_path = "/var/run/", '\000' <repeats 1014 times>, interfaces = {
    0x80a5c08 "eth1", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, mtus =
{
    1500, 0, 0, 0, 0, 0, 0, 0, 0, 0}, pcap_cmd = 0x0, alert_filename = 0x0,
  binLogFile = 0x0, use_utc = 0, include_year = 0, ghetto_msg_flag = 0,
  ct = 0x80acc80}
(gdb)







More information about the Snort-devel mailing list