[Snort-devel] snort 1.8 core dump

K. Peter peter at ...588...
Fri Aug 10 03:10:01 EDT 2001


Bug-Report for Snort Version 1.8

System Architecture : Sparc     (sun4u : Ultra 1 Model 17)
Operating System    : Solaris 7 (SunOS 5.7 Generic_106541-16)
Rules for Snort 1.8 : see below

Command line : 

/zib/maint/snort/snort/snort -Dd -z -y \
-c /zib5/maint/snort/snort.conf  host 130.73.68.1

No Snort-Error-Messages

vispars1% pwd
/var/log/snort
vispars1% ls -la
total 28204
drwxr-xr-x  12 root     other       1024 Aug  9 14:39 .
drwxr-xr-x   4 root     sys          512 Aug 10 00:10 ..
drwx------   2 root     other        512 Aug  9 12:54 130.73.121.1
drwx------   2 root     other        512 Aug  9 14:30 130.73.121.11
drwx------   2 root     other       1536 Aug  9 14:38 130.73.68.1
drwx------   2 root     other        512 Aug  9 14:35 130.73.68.11
drwx------   2 root     other        512 Aug  9 13:50 130.73.68.13
drwx------   2 root     other       9216 Aug  9 14:39 130.73.68.8
drwx------   2 root     other        512 Aug  9 13:25 130.73.68.81
drwx------   2 root     other        512 Aug  9 13:34 130.73.68.82
drwx------   2 root     other        512 Aug  9 10:04 212.185.215.139
-rw-------   1 root     other     129228 Aug  9 14:39 alert
-rw-------   1 root     other    4615889 Aug  9 08:43 alert.old
-rw-r--r--   1 root     other    9361104 Aug  9 14:39 core           <---!!!
-rw-r-----   1 root     other       3499 Aug  9 08:48 index.old.html
-rw-------   1 root     other          0 Aug  9 10:03 portscan.log
-rw-------   1 root     other     257969 Aug  8 17:35 portscan.log.old
-rw-r-----   1 root     other       4229 Aug  9 08:47 SDlogo.gif
drwxr-x---   2 root     other        512 Aug  9 08:48 sig.old
vispars1% gdb /zib5/maint/snort/snort/snort core     <---!!!
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.6"...
Core was generated by `/zib5/maint/snort/snort/snort -Dd -z -y -c /zib5/maint/snort/snort/snort.conf h'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /usr/lib/libm.so.1...done.
Reading symbols from /usr/lib/libsocket.so.1...done.
Reading symbols from /usr/lib/libnsl.so.1...done.
Reading symbols from /usr/lib/libc.so.1...done.
Reading symbols from /usr/lib/libdl.so.1...done.
Reading symbols from /usr/lib/libmp.so.2...done.
Reading symbols from /usr/platform/SUNW,Ultra-1/lib/libc_psr.so.1...done.
Reading symbols from /usr/lib/nss_files.so.1...done.
Reading symbols from /usr/lib/nss_nisplus.so.1...done.
Reading symbols from /usr/lib/libdoor.so.1...done.
#0  0x0 in ?? ()
(gdb) bt
#0  0x0 in ?? ()
#1  0x48ed0 in TreeFind (findme=0x918da8, p=0x1, parentp=0xffbef4b0, 
    gender=0xffbef4af "\002", CmpFunc=0) at ubi_BinTree.c:275
#2  0x491cc in ubi_btInsert (RootPtr=0x92ba60, NewNode=0x918da8, 
    ItemPtr=0x918da8, OldNode=0xffbef52c) at ubi_BinTree.c:632
#3  0x49848 in ubi_sptInsert (RootPtr=0x92ba60, NewNode=0x918da8, 
    ItemPtr=0x918da8, OldNode=0xffbef52c) at ubi_SplayTree.c:317
#4  0x4e50c in InsertFrag (p=0xffbef6f0, ft=0x92ba68) at spp_frag2.c:522
#5  0x4e2b8 in Frag2Defrag (p=0xffbef6f0) at spp_frag2.c:419
#6  0x28608 in Preprocess (p=0xffbef6f0) at rules.c:3427
#7  0x1c3b8 in ProcessPacket (user=0x0, pkthdr=0xc1400, pkt=0xf8b0a "\b")
    at snort.c:512
#8  0x4f1f4 in pcap_read ()
#9  0x50000 in pcap_loop ()
#10 0x1da5c in InterfaceThread (arg=0xc14a8) at snort.c:1441
#11 0x1c254 in main (argc=791720, argv=0xffbefdfc) at snort.c:445
(gdb) quit
vispars1% 



----------------------------------------------------------------------------
Rules , snort.conf Files anf snort Binary :

vispars1% cd /zib5/maint/snort/snort
vispars1% ls -la
total 9744
drwxr-sr-x   2 maint    maint       1024 Jul 30 10:49 .
drwxrwsr-x   6 maint    maint        512 Aug  9 14:05 ..
-rw-r--r--   1 maint    maint      19894 Jul 31 09:01 backdoor.rules
-rw-r--r--   1 maint    maint       1899 Jul 17 13:08 classification.config
-rw-r--r--   1 maint    maint       5726 Jul 31 09:01 ddos.rules
-rw-r--r--   1 maint    maint       3325 Jul 31 09:01 dns.rules
-rw-r--r--   1 maint    maint       2848 Jul 31 09:01 dos.rules
-rw-r--r--   1 maint    maint       8628 Jul 31 09:01 exploit.rules
-rw-r--r--   1 maint    maint       2560 Jul 31 09:01 finger.rules
-rw-r--r--   1 maint    maint       5965 Jul 31 09:01 ftp.rules
-rw-r--r--   1 maint    maint      13415 Jul 31 09:01 icmp-info.rules
-rw-r--r--   1 maint    maint       4556 Jul 31 09:01 icmp.rules
-rw-r--r--   1 maint    maint       2074 Jul 31 09:01 info.rules
-rw-r--r--   1 maint    maint         58 Jul 31 09:01 local.rules
-rw-r--r--   1 maint    maint       4804 Jul 31 09:01 misc.rules
-rw-r--r--   1 maint    maint       2406 Jul 31 09:01 netbios.rules
-rw-r--r--   1 maint    maint       5282 Jul 31 09:01 policy.rules
-rw-r--r--   1 maint    maint       6589 Jul 31 09:01 rpc.rules
-rw-r--r--   1 maint    maint       2344 Jul 31 09:01 rservices.rules
-rw-r--r--   1 maint    maint       4392 Jul 31 09:01 scan.rules
-rw-r--r--   1 maint    maint       3250 Jul 31 09:01 shellcode.rules
-rw-r--r--   1 maint    maint       3989 Jul 31 09:01 smtp.rules
-rwxr-xr-x   1 maint    maint    4703256 Jul 17 13:08 snort
-rw-r--r--   1 maint    maint      15870 Jul 30 10:49 snort.conf
-rw-r--r--   1 maint    maint      15871 Jul 30 10:49 snort.conf~
-rw-r--r--   1 maint    maint       9006 Jul 31 09:01 sql.rules
-rw-r--r--   1 maint    maint       2629 Jul 31 09:01 telnet.rules
-rw-r--r--   1 maint    maint      12742 Jul 31 09:01 virus.rules
-rw-r--r--   1 maint    maint      19484 Jul 31 09:01 web-cgi.rules
-rw-r--r--   1 maint    maint       7637 Jul 31 09:01 web-coldfusion.rules
-rw-r--r--   1 maint    maint       7193 Jul 31 09:01 web-frontpage.rules
-rw-r--r--   1 maint    maint      16484 Jul 31 09:01 web-iis.rules
-rw-r--r--   1 maint    maint      38224 Jul 31 09:01 web-misc.rules
-rw-r--r--   1 maint    maint        593 Jul 31 09:01 x11.rules
vispars1% 
# cd /var/log/snort
# tail alert
Len: 48
[Xref => http://www.whitehats.com/info/IDS10]

[**] [1:583:1] RPC portmap request rstatd [**]
[Classification: Attempted Information Leak] [Priority: 3]
08/09-14:39:18.241486 130.73.68.8:42841 -> 130.73.68.1:111
UDP TTL:255 TOS:0x0 ID:27794 IpLen:20 DgmLen:68 DF
Len: 48
[Xref => http://www.whitehats.com/info/IDS10]

# cd 130.73.68.8;ls
UDP:40282-111  UDP:41866-111  UDP:42096-111  UDP:42339-111  UDP:42593-111
... ... ...
UDP:41863-111  UDP:42091-111  UDP:42336-111  UDP:42590-111  UDP:42841-111
# ls -la UDP:42841-111
-rw-------   1 root     other        422 Aug  9 14:39 UDP:42841-111
# 
# more UDP:42841-111
[**] RPC portmap request rstatd [**]
08/09-14:39:18.241486 130.73.68.8:42841 -> 130.73.68.1:111
UDP TTL:255 TOS:0x0 ID:27794 IpLen:20 DgmLen:68 DF
Len: 48
3B 71 0C 4D 00 00 00 00 00 00 00 02 00 01 86 A0  ;q.M............
00 00 00 03 00 00 00 06 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





More information about the Snort-devel mailing list