[Snort-devel] Re: [Snort-users] Snort1.8p1 core dump

Patrick Fouquet Patrick.Fouquet at ...528...
Fri Jul 13 12:47:36 EDT 2001


Hi

I've remove http_decode preprocessor and now snort doesn't crash anymore.

Core analyse:

[root at ...527... <mailto:root at ...527...> snort]# gdb snort core
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `/usr/local/bin/snort -l /data/snort -i eth0 -c /usr/local/snort/snort.conf'.
Program terminated with signal 11, Segmentation fault.
#0  0x08052e91 in mSearch (
    buf=0x403310e6 "; CFTOKEN=72287012; RMID=c37348333a9bad60; REFERER=bonjour; CFID=2244376; CFTOKEN=72287012\r\nAccept-Encoding
: gzip, deflate\r\n\r\n7012\r\nAccept-Encoding: gzip, deflate\r\n\r\nIa\035=æ\233\237Ô\034Éd(LVî°íÀ)^¾)\210jÙ>öÏ)4\223u\222O"...,
 blen=65509, ptrn=0x85240e8 ".ewl", plen=4, skip=0x85240f8, shift=0x8524500) at mstring.c:472
472	{
(gdb) bt
#0  0x08052e91 in mSearch (
    buf=0x403310e6 "; CFTOKEN=72287012; RMID=c37348333a9bad60; REFERER=bonjour; CFID=2244376; CFTOKEN=72287012\r\nAccept-Encoding
: gzip, deflate\r\n\r\n7012\r\nAccept-Encoding: gzip, deflate\r\n\r\nIa\035=æ\233\237Ô\034Éd(LVî°íÀ)^¾)\210jÙ>öÏ)4\223u\222O"...,
 blen=65509, ptrn=0x85240e8 ".ewl", plen=4, skip=0x85240f8, shift=0x8524500) at mstring.c:472
#1  0x08059116 in CheckUriPatternMatch (p=0xbffff270, otn_idx=0x8523698, fp_list=0x8524518) at sp_pattern_match.c:865
#2  0x0805665f in EvalOpts (List=0x8523698, p=0xbffff270) at rules.c:4016
#3  0x08056399 in EvalHeader (rtn_idx=0x80da3b8, p=0xbffff270) at rules.c:3715
#4  0x08056324 in EvalPacket (List=0x809f8d8, mode=2, p=0xbffff270) at rules.c:3658
#5  0x080561a0 in Detect (p=0xbffff270) at rules.c:3531
#6  0x08055fd7 in Preprocess (p=0xbffff270) at rules.c:3426
#7  0x0804ba0f in ProcessPacket (user=0x0, pkthdr=0xbffff760, pkt=0x40331042 "") at snort.c:497
#8  0x08077e26 in packet_ring_recv ()
#9  0x0807814f in pcap_read ()
#10 0x08078dff in pcap_loop ()
#11 0x0804cdc0 in InterfaceThread (arg=0x0) at snort.c:1432
#12 0x0804b8df in main (argc=7, argv=0xbffff9bc) at snort.c:418
#13 0x401b6177 in ?? ()
(gdb) quit

Thanks

Patrick





Fyodor wrote:

>On Fri, Jul 13, 2001 at 02:30:54PM -0100, Patrick Fouquet wrote:
>
>>Hello
>>
>>I've try snort1.8p1 on a little network without any problem.
>>
>>Since this morning I move my sensor front of our firewall with many many 
>>more traffic.
>>Now snort crash after somes minutes .
>>I've "parser stack overflow" on the core file.
>>
>>I've remove defrag , frag2 , stream4 preprocessor but snort continue to 
>>crash.
>>
>
>HAve a look on BUGS file, it should give you directions how to help us
>to examine the crash and send us the nessesary information. (there are
>still quite a few 'open' bugs which we are looking into now, chances
>that yours is one of those.. we'd love to see the crashdump results
>however :)).
>
>
>







More information about the Snort-devel mailing list