[Snort-devel] Segmentation fault in snort Version 1.8-RELEASE (Build 43)

Marcin Gozdalik gozdal at ...636...
Mon Aug 27 13:14:55 EDT 2001


Hi!

snort segfaults once a while at my machine (Slack 8.0 on a Pentium, custom
kernel 2.4.8). The command line is
snort -i ppp0 -p -c /etc/snort/rules/snort.conf where snort.conf is:
#--------------------------------------------------
#   http://www.snort.org     Snort 1.8.0 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $
#
###################################################

var HOME_NET [$eth0_ADDRESS,$eth1_ADDRESS,$eth2_ADDRESS,my_external_ip]

var EXTERNAL_NET any

var SMTP [192.168.1.1,192.168.2.1,192.168.3.1,my_external_ip]

var HTTP_SERVERS [192.168.1.1,192.168.2.1,192.168.3.1,my_external_ip]

var SQL_SERVERS $HOME_NET

var DNS_SERVERS [192.168.1.1,192.168.2.1,192.168.3.1,my_external_ip,195.187.245.51,194.204.159.1,194.204.152.34]

preprocessor frag2

preprocessor stream4: detect_scans

preprocessor stream4_reassemble

preprocessor unidecode: 80

preprocessor rpc_decode: 111

preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: $DNS_SERVERS

output alert_syslog: LOG_AUTH LOG_ALERT

include classification.config

include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
# include shellcode.rules
include misc.rules
# include policy.rules
# include info.rules
# include icmp-info.rules
# include virus.rules
include local.rules

where rules are the ones downloaded from snort.org together with source.
The backtrace follows:

#0  0x807380e in Rotate (p=0x80a2634) at ubi_SplayTree.c:212
212         parentp->Link[(int)way] = tmp;
(gdb) bt
#0  0x807380e in Rotate (p=0x80a2634) at ubi_SplayTree.c:212
#1  0x807386e in Splay (SplayWithMe=0x80a2634) at ubi_SplayTree.c:252
#2  0x80738f8 in ubi_sptRemove (RootPtr=0x80a2634, DeadNode=0x80a2634)
    at ubi_SplayTree.c:346
#3  0x80767bd in DeleteSession (ssn=0x80a2634, time=998924009)
    at spp_stream4.c:2109
#4  0x8076b84 in PruneSessionCache (thetime=998924009, mustdie=0)
    at spp_stream4.c:2290
#5  0x807547e in ReassembleStream4 (p=0xbffff378) at spp_stream4.c:1152
#6  0x8055d46 in Preprocess (p=0xbffff378) at rules.c:3427
#7  0x804b220 in ProcessPacket (user=0x0, pkthdr=0xbffff838, pkt=0x80d81a8
"E")
    at snort.c:512
#8  0x8078a40 in pcap_read_packet ()
#9  0x8078893 in pcap_read ()
#10 0x80797fc in pcap_loop ()
#11 0x804c71e in InterfaceThread (arg=0x0) at snort.c:1441
#12 0x804b104 in main (argc=7, argv=0xbffffa04) at snort.c:445

Snort seems to fault more often when it's run in daemon mode but it's only
my intuition.

Cheers,
Marcin





More information about the Snort-devel mailing list