[Snort-devel] Re: clobbered memory structures used by stream4 Version 1.8.1-beta5 (Build 59)

Phil Wood cpw at ...86...
Sat Jul 28 22:04:06 EDT 2001


On Sat, Jul 28, 2001 at 06:39:58PM -0400, Martin Roesch wrote:
> Ooh, this is interesting.  Are you using the database plugin?  It
> actually looks like the DB plugin is hammering the stream4 session tree
> if I'm reading this right.  I'll discuss it more later this evening
> (we're going to the movies) but if you're using the DB plugin, is there
> an alert just before it crashes?

Damn, you're right!  Not only did I find it in the ACID Alert Display, but
here is the tcpdump of the packet with a little finer time granularity:

996340635.277459 P 255.255.255.255.31337 > 128.165.3.152.515: tcp 3 AR 0:3(3) ack 0 win 0
                         4500 002b 0000 0000 0e06 2891 ffff ffff
                         80a5 0398 7a69 0203 0000 0000 0000 0000
                         5014 0000 dcb8 0000 636b 6f

996340635 => Sat Jul 28 11:17:15 MDT 2001

A look at the pkth shows that the packet in the "p" structure is exactly
the packet in the tcpdump if packet time has any meaning:

(gdb) print *p->pkth
$4 = {ts = {tv_sec = 996340635, tv_usec = 277459}, caplen = 57, len = 57,
  ifindex = 0, protocol = 8, pkt_type = 3 '\003'}

I didn't bother looking cause I thought that the packet would not be recorded
since snort was in preprocessor phase with a packet yet to be snagged.  What
am I missing here?

Thanks,

> 
>      -Marty
> 
> Phil Wood wrote:
> > 
> > Marty,
> > 
> > I hope this is not one of my false alarms.  However, hang on a little bit.
> > 
> > Facts:
> > 
> >   Two different PC's snorting the same network (arpanet and radiocity).
> >   Clocks are in sync.
> >   Both have Gige cards
> >   Two core dumps one on each machine at the same time.
> >   Both machines are running Version 1.8.1-beta5 (Build 59)
> >   arpanet is 7.0, radiocity is 6.2
> >   The libpcap is mine and identical on both systems.
> >   Both machines have same packet, and identical core files in respect to
> >     the data being examined and where they died.
> > 
> > What I think so far:
> > 
> > The dataPtr in the ssn->server structure looks like data 0x31312720 and
> > not a memory pointer.  In fact if you take the contents of ssn->server:
> > 
> > print ssn->server
> > $5 = {ip = 1932009588, port = 25705, state = 44 ',', isn = 1932289129,
> >   current_seq = 1634625385, base_seq = 1701999988, last_ack = 1835627564,
> >   win_size = 29541, pkts_sent = 539586669, bytes_sent = 1431060822, data = {
> >     root = 0x28205345, cmp = 0x2c273327, count = 892413728, flags = 55 '7'},
> >   dataPtr = 0x3227202c}
> > 
> > and convert to hex to run through a handydandy hextotex you get something
> > that look an awful lot like maybe some kind of sound file?
> > 
> >   73282074  6469732C  6469616E  67696572  75746D69 : s( tdis,diangierutmi :
> >   742C7365  2029706D  554C4156  28205345  2c273427 : t,se )pmULAV( SE,'4' :
> >   39372720                                         : 97'                  :
> > 
> > The packet looks possibly hand crafted.
> > 
> > Not a lot to go on, but I think better that my last one.  %^)
> > 
> > Phil
> > 
> > ============================================================================
> > Version 1.8.1-beta5 (Build 59)
> > Fault on arpanet @ Jul 28 11:17
> > #0  ubi_btKillTree (RootPtr=0x3227202c, FreeNode=0x807b51c <KillSpd>)
> >     at ubi_BinTree.c:906
> > 906       {
> > (gdb) up
> > #1  0x807b05c in AlertFlushStream (p=0xbffff1f8, session=0x87fff50)
> >     at spp_stream4.c:2295
> > 2295        (void)ubi_trKillTree(Root, KillSpd);
> > (gdb) print *p
> > $1 = {pkth = 0xbffff6d8, pkt = 0x4062b042 "", fddihdr = 0x0, fddisaps = 0x0,
> >   fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
> >   trhmr = 0x0, sllh = 0x0, eh = 0x4062b042, vh = 0x0, ehllc = 0x0,
> >   ehllcother = 0x0, ah = 0x0, iph = 0x4062b050, orig_iph = 0x0,
> >   ip_options_len = 0, ip_options_data = 0x0, tcph = 0x4062b064,
> >   orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
> >   orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
> >   data = 0x4062b078 "cko\n\001\001(\037", dsize = 3, frag_flag = 0 '\000',
> >   frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0 '\000', sp = 31337,
> >   dp = 515, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0,
> >     length = 0}, ssnptr = 0x87fff50, ip_options = {{code = 0 '\000', len = 0,
> >       data = 0x0} <repeats 40 times>}, ip_option_count = 0,
> >   ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
> >       data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
> >   tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4,
> >   wire_packet = 0 '\000'}
> > (gdb)  x/16 p->pkt
> > 0x4062b042:     0xcd1d0000      0x6000fd46      0x00875083      0x00450008
> > 0x4062b052:     0x00002b00      0x060e0000      0xffff9128      0xa580ffff
> > 0x4062b062:     0x697a9803      0x00000302      0x00000000      0x14500000
> > 0x4062b072:     0xb8dc0000      0x6b630000      0x01010a6f      0x4e001f28
> > 
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | VER=4 | IHL=5 | ROU | | | | | | Total Length = 43             |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Identification = 0            | | | | Fragment Offset = 0     |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   |    TTL=14     | Protocol = 6  | Header Checksum = 10385       |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Source Address  = 255.255.255.255                             |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Destination Address  = 128.165.3.152                          |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >         RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Source Port = 31337           | Destination Port = 515        |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Sequence Number = 0                                           |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Acknowledgment Number = 0                                     |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | OFF=5 | | | | | | | |A| |R| | |  Window = 0                   |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Checksum = 56504              | Urgent Pointer = 0            |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >                                 Data
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   :  636b6f0a  0101281f  004e                  : cko   (  N       :
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
> > 
> > ==========================================================================
> > Version 1.8.1-beta5 (Build 59)
> > Fault on radiocity @ Jul 28 11:17
> > 
> > #0  ubi_btKillTree (RootPtr=0x31312720, FreeNode=0x807f7cc <KillSpd>)
> >     at ubi_BinTree.c:906
> > #1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
> >     at spp_stream4.c:2295
> > #2  0x80593f4 in Preprocess (p=0xbfffef7c) at rules.c:3439
> > #3  0x804c790 in ProcessPacket (user=0x0, pkthdr=0xbffff468, pkt=0x40a9f672 "")
> >     at snort.c:519
> > #4  0x808123c in packet_ring_recv ()
> > #5  0x8081574 in pcap_read ()
> > #6  0x8082313 in pcap_loop ()
> > #7  0x804de87 in InterfaceThread (arg=0x0) at snort.c:1450
> > #8  0x804c674 in main (argc=20, argv=0xbffff65c) at snort.c:452
> > (gdb) print *FreeNode
> > $1 = {void ()} 0x807f7cc <KillSpd>
> > (gdb) print *P
> > $1 = {Link = {0x4015dd68, 0x4015dd68, 0x204f544e}, gender = 101 'e',
> >   balance = 118 'v'}
> > 
> > (gdb) up
> > #1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
> >     at spp_stream4.c:2295
> > 2295        (void)ubi_trKillTree(Root, KillSpd);
> > (gdb) print *p
> > $2 = {pkth = 0xbffff468, pkt = 0x40a9f672 "", fddihdr = 0x0, fddisaps = 0x0,
> >   fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
> >   trhmr = 0x0, sllh = 0x0, eh = 0x40a9f672, vh = 0x0, ehllc = 0x0,
> >   ehllcother = 0x0, ah = 0x0, iph = 0x40a9f680, orig_iph = 0x0,
> >   ip_options_len = 0, ip_options_data = 0x0, tcph = 0x40a9f694,
> >   orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
> >   orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
> >   data = 0x40a9f6a8 "cko\n\001\001(\037", dsize = 3, frag_flag = 0 '\000',
> >   frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0 '\000', sp = 31337,
> >   dp = 515, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0,
> >     length = 0}, ssnptr = 0x86e7cd0, ip_options = {{code = 0 '\000', len = 0,
> >       data = 0x0} <repeats 40 times>}, ip_option_count = 0,
> >   ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
> >       data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
> >   tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4,
> >   wire_packet = 0 '\000'}
> > (gdb) x/ p->data
> > 0x40a9f6a8:     0x0a6f6b63
> > (gdb) print p->pkth
> > $3 = (struct pcap_pkthdr *) 0xbffff468
> > (gdb) print *p->pkth
> > $4 = {ts = {tv_sec = 996340635, tv_usec = 277459}, caplen = 57, len = 57,
> >   ifindex = 0, protocol = 8, pkt_type = 3 '\003'}
> > (gdb) x/16 p->pkt
> > 0x40a9f672:     0xcd1d0000      0x6000fd46      0x00875083      0x00450008
> > 0x40a9f682:     0x00002b00      0x060e0000      0xffff9128      0xa580ffff
> > 0x40a9f692:     0x697a9803      0x00000302      0x00000000      0x14500000
> > 0x40a9f6a2:     0xb8dc0000      0x6b630000      0x01010a6f      0x4e001f28
> > (gdb)
> > 
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | VER=4 | IHL=5 | ROU | | | | | | Total Length = 43             |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Identification = 0            | | | | Fragment Offset = 0     |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   |    TTL=14     | Protocol = 6  | Header Checksum = 10385       |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Source Address  = 255.255.255.255                             |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Destination Address  = 128.165.3.152                          |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >         RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Source Port = 31337           | Destination Port = 515        |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Sequence Number = 0                                           |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Acknowledgment Number = 0                                     |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | OFF=5 | | | | | | | |A| |R| | |  Window = 0                   |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   | Checksum = 56504              | Urgent Pointer = 0            |
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >                                 Data
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >   :  636b6f0a  0101281f  004e                  : cko   (  N       :
> >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > 
> > #2  0x80593f4 in Preprocess (p=0xbfffef7c) at rules.c:3439
> > 3439                AlertFlushStream(p, p->ssnptr);
> > (gdb) list
> > 3434
> > 3435            if(retval &&
> > 3436               !(p->packet_flags & PKT_REBUILT_STREAM))
> > 3437            {
> > 3438                /* flush any stream that this packet is associated with */
> > 3439                AlertFlushStream(p, p->ssnptr);
> > 3440            }
> > 3441        }
> > 3442
> > 3443        if(otn_tmp != NULL)
> > (gdb) print p->ssnptr
> > $6 = (void *) 0x86e7cd0
> > 
> > (gdb) down
> > #1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
> >     at spp_stream4.c:2295
> > 2295        (void)ubi_trKillTree(Root, KillSpd);
> > (gdb) print ssn->server
> > print ssn->server
> > $7 = {ip = 1932009588, port = 25705, state = 44 ',', isn = 1932289129,
> >   current_seq = 1634625385, base_seq = 1701999988, last_ack = 1835627564,
> >   win_size = 29541, pkts_sent = 539586669, bytes_sent = 1431060822, data = {
> >     root = 0x28205345, cmp = 0x2c273427, count = 959915808, flags = 51 '3'},
> >   dataPtr = 0x31312720}
> > 
> > (gdb) list
> > 2290
> > 2291
> > 2292
> > 2293    void DeleteSpd(ubi_trRootPtr Root, int log)
> > 2294    {
> > 2295        (void)ubi_trKillTree(Root, KillSpd);
> > 2296    }
> > 2297
> > 2298
> > 2299    int GetDirection(Session *ssn, Packet *p)
> > (gdb) down
> > #0  ubi_btKillTree (RootPtr=0x31312720, FreeNode=0x807f7cc <KillSpd>)
> >     at ubi_BinTree.c:906
> > 906       {
> > (gdb) list
> > 901        *           root.  This function will return NULL only if P is NULL.
> > 902        *  Note:    In general, you will be passing in the value of the root field
> > 903        *           of an ubi_btRoot structure.
> > 904        * ------------------------------------------------------------------------ **
> > 905        */
> > 906       {
> > 907       return( SubSlide( P, ubi_trLEFT ) );
> > 908       } /* ubi_btFirst */
> > 909
> > 910     ubi_btNodePtr ubi_btLast( ubi_btNodePtr P )
> > (gdb) print *P
> > $4 = {Link = {0x4015dd68, 0x4015dd68, 0x204f544e}, gender = 101 'e',
> >   balance = 118 'v'}
> > 
> > --
> > Phil Wood, cpw at ...86...
> 
> --
> Martin Roesch
> roesch at ...402...
> http://www.sourcefire.com - http://www.snort.org

-- 
Phil Wood, cpw at ...86...





More information about the Snort-devel mailing list