[Snort-devel] Re: clobbered memory structures used by stream4 Version 1.8.1-beta5 (Build 59)

Martin Roesch roesch at ...402...
Sat Jul 28 19:56:14 EDT 2001


Ok, here's the deal.  When an alert goes off for a packet that is being
monitored in stream4, the stream code wants to flush that stream so we
don't get double detects for the same data.  The call to
AlertFlushStream() is made after the detection engine returns from doing
its job (Detect() is called from within Preprocess()); this is the call
that will clear the stream from the session pointer (for the current
side of the stream).  

So, it looks/sounds like what's happening is the database plugin is
stomping into stream4's session storage structs and hammering the
session that just got accesses flat.  That's bad, m'kay. :)

The place that it seems to be happening is where the queries for the
database are being put together, it might be advantagous to use
automatic variables in spo_database instead of allocating static sizes
repeatedly to pointers.  If this is recreatable, it might be nice to
save the packet traces in binary mode and send them to me so I can step
through them and see when and where it happens.

What alert is going off?  

     -Marty


Phil Wood wrote:
> 
> On Sat, Jul 28, 2001 at 06:39:58PM -0400, Martin Roesch wrote:
> > Ooh, this is interesting.  Are you using the database plugin?  It
> > actually looks like the DB plugin is hammering the stream4 session tree
> > if I'm reading this right.  I'll discuss it more later this evening
> > (we're going to the movies) but if you're using the DB plugin, is there
> > an alert just before it crashes?
> 
> Damn, you're right!  Not only did I find it in the ACID Alert Display, but
> here is the tcpdump of the packet with a little finer time granularity:
> 
> 996340635.277459 P 255.255.255.255.31337 > 128.165.3.152.515: tcp 3 AR 0:3(3) ack 0 win 0
>                          4500 002b 0000 0000 0e06 2891 ffff ffff
>                          80a5 0398 7a69 0203 0000 0000 0000 0000
>                          5014 0000 dcb8 0000 636b 6f
> 
> 996340635 => Sat Jul 28 11:17:15 MDT 2001
> 
> A look at the pkth shows that the packet in the "p" structure is exactly
> the packet in the tcpdump if packet time has any meaning:
> 
> (gdb) print *p->pkth
> $4 = {ts = {tv_sec = 996340635, tv_usec = 277459}, caplen = 57, len = 57,
>   ifindex = 0, protocol = 8, pkt_type = 3 '\003'}
> 
> I didn't bother looking cause I thought that the packet would not be recorded
> since snort was in preprocessor phase with a packet yet to be snagged.  What
> am I missing here?
> 
> Thanks,
> 
> >
> >      -Marty
> >
> > Phil Wood wrote:
> > >
> > > Marty,
> > >
> > > I hope this is not one of my false alarms.  However, hang on a little bit.
> > >
> > > Facts:
> > >
> > >   Two different PC's snorting the same network (arpanet and radiocity).
> > >   Clocks are in sync.
> > >   Both have Gige cards
> > >   Two core dumps one on each machine at the same time.
> > >   Both machines are running Version 1.8.1-beta5 (Build 59)
> > >   arpanet is 7.0, radiocity is 6.2
> > >   The libpcap is mine and identical on both systems.
> > >   Both machines have same packet, and identical core files in respect to
> > >     the data being examined and where they died.
> > >
> > > What I think so far:
> > >
> > > The dataPtr in the ssn->server structure looks like data 0x31312720 and
> > > not a memory pointer.  In fact if you take the contents of ssn->server:
> > >
> > > print ssn->server
> > > $5 = {ip = 1932009588, port = 25705, state = 44 ',', isn = 1932289129,
> > >   current_seq = 1634625385, base_seq = 1701999988, last_ack = 1835627564,
> > >   win_size = 29541, pkts_sent = 539586669, bytes_sent = 1431060822, data = {
> > >     root = 0x28205345, cmp = 0x2c273327, count = 892413728, flags = 55 '7'},
> > >   dataPtr = 0x3227202c}
> > >
> > > and convert to hex to run through a handydandy hextotex you get something
> > > that look an awful lot like maybe some kind of sound file?
> > >
> > >   73282074  6469732C  6469616E  67696572  75746D69 : s( tdis,diangierutmi :
> > >   742C7365  2029706D  554C4156  28205345  2c273427 : t,se )pmULAV( SE,'4' :
> > >   39372720                                         : 97'                  :
> > >
> > > The packet looks possibly hand crafted.
> > >
> > > Not a lot to go on, but I think better that my last one.  %^)
> > >
> > > Phil
> > >
> > > ============================================================================
> > > Version 1.8.1-beta5 (Build 59)
> > > Fault on arpanet @ Jul 28 11:17
> > > #0  ubi_btKillTree (RootPtr=0x3227202c, FreeNode=0x807b51c <KillSpd>)
> > >     at ubi_BinTree.c:906
> > > 906       {
> > > (gdb) up
> > > #1  0x807b05c in AlertFlushStream (p=0xbffff1f8, session=0x87fff50)
> > >     at spp_stream4.c:2295
> > > 2295        (void)ubi_trKillTree(Root, KillSpd);
> > > (gdb) print *p
> > > $1 = {pkth = 0xbffff6d8, pkt = 0x4062b042 "", fddihdr = 0x0, fddisaps = 0x0,
> > >   fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
> > >   trhmr = 0x0, sllh = 0x0, eh = 0x4062b042, vh = 0x0, ehllc = 0x0,
> > >   ehllcother = 0x0, ah = 0x0, iph = 0x4062b050, orig_iph = 0x0,
> > >   ip_options_len = 0, ip_options_data = 0x0, tcph = 0x4062b064,
> > >   orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
> > >   orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
> > >   data = 0x4062b078 "cko\n\001\001(\037", dsize = 3, frag_flag = 0 '\000',
> > >   frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0 '\000', sp = 31337,
> > >   dp = 515, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0,
> > >     length = 0}, ssnptr = 0x87fff50, ip_options = {{code = 0 '\000', len = 0,
> > >       data = 0x0} <repeats 40 times>}, ip_option_count = 0,
> > >   ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
> > >       data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
> > >   tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4,
> > >   wire_packet = 0 '\000'}
> > > (gdb)  x/16 p->pkt
> > > 0x4062b042:     0xcd1d0000      0x6000fd46      0x00875083      0x00450008
> > > 0x4062b052:     0x00002b00      0x060e0000      0xffff9128      0xa580ffff
> > > 0x4062b062:     0x697a9803      0x00000302      0x00000000      0x14500000
> > > 0x4062b072:     0xb8dc0000      0x6b630000      0x01010a6f      0x4e001f28
> > >
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | VER=4 | IHL=5 | ROU | | | | | | Total Length = 43             |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Identification = 0            | | | | Fragment Offset = 0     |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   |    TTL=14     | Protocol = 6  | Header Checksum = 10385       |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Source Address  = 255.255.255.255                             |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Destination Address  = 128.165.3.152                          |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >         RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Source Port = 31337           | Destination Port = 515        |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Sequence Number = 0                                           |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Acknowledgment Number = 0                                     |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | OFF=5 | | | | | | | |A| |R| | |  Window = 0                   |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Checksum = 56504              | Urgent Pointer = 0            |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >                                 Data
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   :  636b6f0a  0101281f  004e                  : cko   (  N       :
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
> > >
> > > ==========================================================================
> > > Version 1.8.1-beta5 (Build 59)
> > > Fault on radiocity @ Jul 28 11:17
> > >
> > > #0  ubi_btKillTree (RootPtr=0x31312720, FreeNode=0x807f7cc <KillSpd>)
> > >     at ubi_BinTree.c:906
> > > #1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
> > >     at spp_stream4.c:2295
> > > #2  0x80593f4 in Preprocess (p=0xbfffef7c) at rules.c:3439
> > > #3  0x804c790 in ProcessPacket (user=0x0, pkthdr=0xbffff468, pkt=0x40a9f672 "")
> > >     at snort.c:519
> > > #4  0x808123c in packet_ring_recv ()
> > > #5  0x8081574 in pcap_read ()
> > > #6  0x8082313 in pcap_loop ()
> > > #7  0x804de87 in InterfaceThread (arg=0x0) at snort.c:1450
> > > #8  0x804c674 in main (argc=20, argv=0xbffff65c) at snort.c:452
> > > (gdb) print *FreeNode
> > > $1 = {void ()} 0x807f7cc <KillSpd>
> > > (gdb) print *P
> > > $1 = {Link = {0x4015dd68, 0x4015dd68, 0x204f544e}, gender = 101 'e',
> > >   balance = 118 'v'}
> > >
> > > (gdb) up
> > > #1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
> > >     at spp_stream4.c:2295
> > > 2295        (void)ubi_trKillTree(Root, KillSpd);
> > > (gdb) print *p
> > > $2 = {pkth = 0xbffff468, pkt = 0x40a9f672 "", fddihdr = 0x0, fddisaps = 0x0,
> > >   fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
> > >   trhmr = 0x0, sllh = 0x0, eh = 0x40a9f672, vh = 0x0, ehllc = 0x0,
> > >   ehllcother = 0x0, ah = 0x0, iph = 0x40a9f680, orig_iph = 0x0,
> > >   ip_options_len = 0, ip_options_data = 0x0, tcph = 0x40a9f694,
> > >   orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
> > >   orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
> > >   data = 0x40a9f6a8 "cko\n\001\001(\037", dsize = 3, frag_flag = 0 '\000',
> > >   frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0 '\000', sp = 31337,
> > >   dp = 515, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0,
> > >     length = 0}, ssnptr = 0x86e7cd0, ip_options = {{code = 0 '\000', len = 0,
> > >       data = 0x0} <repeats 40 times>}, ip_option_count = 0,
> > >   ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
> > >       data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
> > >   tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4,
> > >   wire_packet = 0 '\000'}
> > > (gdb) x/ p->data
> > > 0x40a9f6a8:     0x0a6f6b63
> > > (gdb) print p->pkth
> > > $3 = (struct pcap_pkthdr *) 0xbffff468
> > > (gdb) print *p->pkth
> > > $4 = {ts = {tv_sec = 996340635, tv_usec = 277459}, caplen = 57, len = 57,
> > >   ifindex = 0, protocol = 8, pkt_type = 3 '\003'}
> > > (gdb) x/16 p->pkt
> > > 0x40a9f672:     0xcd1d0000      0x6000fd46      0x00875083      0x00450008
> > > 0x40a9f682:     0x00002b00      0x060e0000      0xffff9128      0xa580ffff
> > > 0x40a9f692:     0x697a9803      0x00000302      0x00000000      0x14500000
> > > 0x40a9f6a2:     0xb8dc0000      0x6b630000      0x01010a6f      0x4e001f28
> > > (gdb)
> > >
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | VER=4 | IHL=5 | ROU | | | | | | Total Length = 43             |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Identification = 0            | | | | Fragment Offset = 0     |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   |    TTL=14     | Protocol = 6  | Header Checksum = 10385       |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Source Address  = 255.255.255.255                             |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Destination Address  = 128.165.3.152                          |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >         RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Source Port = 31337           | Destination Port = 515        |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Sequence Number = 0                                           |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Acknowledgment Number = 0                                     |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | OFF=5 | | | | | | | |A| |R| | |  Window = 0                   |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   | Checksum = 56504              | Urgent Pointer = 0            |
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >                                 Data
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >   :  636b6f0a  0101281f  004e                  : cko   (  N       :
> > >   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > >
> > > #2  0x80593f4 in Preprocess (p=0xbfffef7c) at rules.c:3439
> > > 3439                AlertFlushStream(p, p->ssnptr);
> > > (gdb) list
> > > 3434
> > > 3435            if(retval &&
> > > 3436               !(p->packet_flags & PKT_REBUILT_STREAM))
> > > 3437            {
> > > 3438                /* flush any stream that this packet is associated with */
> > > 3439                AlertFlushStream(p, p->ssnptr);
> > > 3440            }
> > > 3441        }
> > > 3442
> > > 3443        if(otn_tmp != NULL)
> > > (gdb) print p->ssnptr
> > > $6 = (void *) 0x86e7cd0
> > >
> > > (gdb) down
> > > #1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
> > >     at spp_stream4.c:2295
> > > 2295        (void)ubi_trKillTree(Root, KillSpd);
> > > (gdb) print ssn->server
> > > print ssn->server
> > > $7 = {ip = 1932009588, port = 25705, state = 44 ',', isn = 1932289129,
> > >   current_seq = 1634625385, base_seq = 1701999988, last_ack = 1835627564,
> > >   win_size = 29541, pkts_sent = 539586669, bytes_sent = 1431060822, data = {
> > >     root = 0x28205345, cmp = 0x2c273427, count = 959915808, flags = 51 '3'},
> > >   dataPtr = 0x31312720}
> > >
> > > (gdb) list
> > > 2290
> > > 2291
> > > 2292
> > > 2293    void DeleteSpd(ubi_trRootPtr Root, int log)
> > > 2294    {
> > > 2295        (void)ubi_trKillTree(Root, KillSpd);
> > > 2296    }
> > > 2297
> > > 2298
> > > 2299    int GetDirection(Session *ssn, Packet *p)
> > > (gdb) down
> > > #0  ubi_btKillTree (RootPtr=0x31312720, FreeNode=0x807f7cc <KillSpd>)
> > >     at ubi_BinTree.c:906
> > > 906       {
> > > (gdb) list
> > > 901        *           root.  This function will return NULL only if P is NULL.
> > > 902        *  Note:    In general, you will be passing in the value of the root field
> > > 903        *           of an ubi_btRoot structure.
> > > 904        * ------------------------------------------------------------------------ **
> > > 905        */
> > > 906       {
> > > 907       return( SubSlide( P, ubi_trLEFT ) );
> > > 908       } /* ubi_btFirst */
> > > 909
> > > 910     ubi_btNodePtr ubi_btLast( ubi_btNodePtr P )
> > > (gdb) print *P
> > > $4 = {Link = {0x4015dd68, 0x4015dd68, 0x204f544e}, gender = 101 'e',
> > >   balance = 118 'v'}
> > >
> > > --
> > > Phil Wood, cpw at ...86...
> >
> > --
> > Martin Roesch
> > roesch at ...402...
> > http://www.sourcefire.com - http://www.snort.org
> 
> --
> Phil Wood, cpw at ...86...
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list