[Snort-devel] Snort 1.8beta3 (Build 12) hangs - traces & more info

Martin Roesch roesch at ...48...
Fri Apr 27 02:07:51 EDT 2001


Fixed and committed.

    -Marty

william.c.gercken at ...350... wrote:
> 
> Here is some additional information from another hang.
> 
> Notes:
> 
> 1. The packet payload contains garbage (encrypted data or normal?).
> 2. The packet payload size is much larger than the packet payload
> (dsize=1052, is this normal?).
> 
> Thanks.
> 
> ==
> 
> PreprocFunction (p=0xbffff450) at spp_telnet_negotiation.c:160
> 160                 DebugMessage(DEBUG_PLUGIN, "Checking: %c\n",
> *read_ptr);
> (gdb) bt
> #0  PreprocFunction (p=0xbffff450) at spp_telnet_negotiation.c:160
> #1  0x8055202 in Preprocess (p=0xbffff450) at rules.c:3260
> #2  0x804b17f in ProcessPacket (user=0x0, pkthdr=0xbffff900, pkt=0x80a63da
> "")
>     at snort.c:500
> #3  0x807197e in pcap_read ()
> #4  0x8071f4f in pcap_loop ()
> #5  0x804c3e3 in InterfaceThread (arg=0x0) at snort.c:1376
> #6  0x804b04f in main (argc=10, argv=0xbffffaa4) at snort.c:434
> #7  0x40158b65 in __libc_start_main (main=0x804aa0c <main>, argc=10,
>     ubp_av=0xbffffaa4, init=0x8049f2c <_init>, fini=0x8078e3c <_fini>,
>     rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffffa9c)
>     at ../sysdeps/generic/libc-start.c:111
> 
> (gdb) print *read_ptr
> $1 = -16 'ð'
> (gdb) print read_ptr
> $2 = 0x80a6906 "ðú\024\210\226)$\221L«\220*¸
> (\003\236 at ...395...\231ÌÌ4\221?k&K/Íé3-)¤êÃQ
> ¯\211\b°\236\025\221h·\223iÍz§£\rgHD÷ù\207\223gªõ¦;ÑHÞT\027¿òÉ\021MD\032ɶ
> º/ÒeΨ
> \227UyôuUu\237èÛy2\200.ªßÛc\227­\020l¢\215\203\031_M%\235\215Ä)ªX°\e!
> \215È°1éã÷\
> b&+c´p\025ÃÇ\213\227$-RÅ\222ÀÕö\221íó\226Ò°ÎÿM§«\017A»
> -É9\013\bÄ\a\n²zÂPÃ'àqÂ\20
> 2\215/ö\236G)\nl"
> 
> (gdb) print p
> $13 = (Packet *) 0xbffff450
> (gdb) print *p
> $14 = {pkth = 0xbffff900, pkt = 0x80a63da "", fddihdr = 0x0, fddisaps =
> 0x0,
>   fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
>   trhmr = 0x0, sllh = 0x0, eh = 0x80a63da, vh = 0x0, ehllc = 0x0,
>   ehllcother = 0x0, ah = 0x0, iph = 0x80a63e8, orig_iph = 0x0,
>   ip_options_len = 0, ip_options_data = 0x0, tcph = 0x80a63fc,
>   orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
>   orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
>   data = 0x80a6410 ">¥ÅÉ\037ù^)\210\207ì9ñßü²ÎÃgÊq\\©?\200", dsize = 1052,
>   frag_flag = 0 '\000', frag_offset = 0, mf = 0 '\000', df = 1 '\001',
>   rf = 0 '\000', sp = 14230, dp = 21, orig_sp = 0, orig_dp = 0, caplen = 0,
>   URI = {uri = 0x0, length = 0}, ip_options = {{code = 0 '\000', len = 0,
>       data = 0x0} <repeats 40 times>}, ip_option_count = 0,
>   ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
>       data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
>   tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', wire_packet = 0 '
> \000'}
> 
> (gdb) up
> #1  0x8055202 in Preprocess (p=0xbffff450) at rules.c:3260
> 3260            idx->func(p);
> (gdb) up
> #2  0x804b17f in ProcessPacket (user=0x0, pkthdr=0xbffff900, pkt=0x80a63da
> "")
>     at snort.c:500
> 500             Preprocess(&p);
> (gdb) print *p.iph
> $29 = {ip_hlen = 5 '\005', ip_ver = 4 '\004', ip_tos = 0 '\000',
>   ip_len = 56325, ip_id = 4406, ip_off = 64, ip_ttl = 125 '}',
>   ip_proto = 6 '\006', ip_csum = 12165, ip_src = {s_addr = 42959252},
>   ip_dst = {s_addr = 844178888}}
> 
> (gdb) up
> #3  0x807197e in pcap_read ()
> (gdb) up
> #4  0x8071f4f in pcap_loop ()
> (gdb) up
> #5  0x804c3e3 in InterfaceThread (arg=0x0) at snort.c:1376
> 1376        if(pcap_loop(pds[myint], pv.pkt_cnt, (pcap_handler)
> ProcessPacket, N
> ULL) < 0)
> (gdb) print pv
> $32 = {test_mode_flag = 0, alert_interface_flag = 0,
>   verbose_bytedump_flag = 0, obfuscation_flag = 0, log_cmd_override = 1,
>   alert_cmd_override = 0, char_data_flag = 0, data_flag = 1, verbose_flag
> = 0,
>   showarp_flag = 0, showipv6_flag = 0, showipx_flag = 0, readmode_flag = 0,
>   logbin_flag = 1, log_flag = 1, nolog_flag = 0, show2hdr_flag = 0,
>   syslog_flag = 0, promisc_flag = 1, rules_order_flag = 0, smbmsg_flag = 0,
>   track_flag = 0, daemon_flag = 1, quiet_flag = 1, fake_packet_flag = 0,
>   pkt_cnt = -1, pkt_snaplen = 0, homenet = 0, netmask = 0, use_rules = 1,
>   alert_mode = 1, log_plugin_active = 0, alert_plugin_active = 0,
>   pid_filename = "/var/run//snort_eth1.pid", '\000' <repeats 999 times>,
>   config_file = "snort.conf", '\000' <repeats 1013 times>,
>   config_dir = "./", '\000' <repeats 1021 times>,
>   log_dir = "/var/log/snort2", '\000' <repeats 1008 times>,
>   readfile = '\000' <repeats 1023 times>,
>   smbmsg_dir = '\000' <repeats 1023 times>,
>   pid_path = "/var/run/", '\000' <repeats 1014 times>, interfaces = {
>     0x80a5c08 "eth1", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, mtus =
> {
>     1500, 0, 0, 0, 0, 0, 0, 0, 0, 0}, pcap_cmd = 0x0, alert_filename = 0x0,
>   binLogFile = 0x0, use_utc = 0, include_year = 0, ghetto_msg_flag = 0,
>   ct = 0x80acc80}
> (gdb)
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list