[Snort-devel] core dump debuggers dream

Phil Wood cpw at ...86...
Mon Jul 30 15:00:48 EDT 2001


Well almost,

I have a 1 packet pcap file that when processed by snort with "output database",
will core dump on Version 1.8.1-beta5 (Build 59).

Comment out the output plugin and no core dump.

Works with just 1 rule in the configuration, and 1 packet in the pcapfile.

Here is the packet.  Anyone want to find a packet generator and create this?
I've got an incompatible pcap lib (except maybe the redhat distributions
can read it?)

(Actually, would someone send me a url for such a beast?)

# tcpdump -x -r just-one | hextotex -o 8
  00:30:29.986915 255.255.255.255.31337 > 141.111.171.204.printer: tcp 3 AR 0:3(3) ack 0 win 0
  IP: 4500002b  00000000  0e067392  ffffffff  8d6fabcc : E  +      s      o   :
 TCP: 7a690203  00000000  00000000  50140000  27ba0000 : zi          P   '    :
LOAD: 636b6f                                           : cko                  :

Here is the conf file (you whould need to modify to suit):

  var IDSBASE /d2/pw
  var LOG /tmp/xx
  var HOMENET 141.111.0.0/16
  var INTERNAL [$HOMENET]
  var EXTERNAL !$INTERNAL
  var SCANLOG $LOG/scan
  var IGNOREHOSTS 192.5.41.40
  var DBNAME acidtest
  var DBPORT 3306
  var DBUSER acidtest
  var DBPASSWD snortbegood
  var DBHOST notat.arpa.net
  preprocessor frag2
  preprocessor stream4: noalerts
  preprocessor stream4_reassemble: noalerts
  preprocessor http_decode: 80 -unicode -cginull
  preprocessor rpc_decode: 111
  preprocessor bo: -nobrute
  preprocessor telnet_decode
  preprocessor portscan: $INTERNAL 5 3 $SCANLOG
  preprocessor portscan-ignorehosts: $IGNOREHOSTS
  output database: alert, mysql, dbname=$DBNAME port=$DBPORT user=$DBUSER password=$DBPASSWD sensor_name=vy host=$DBHOST
  include $IDSBASE/scripts/classification.config
  alert tcp 255.255.255.0/24 any -> $INTERNAL any (msg: "BACKDOOR Q access"; flags:A+; dsize: >1;  reference: arachnids,203; sid:184; rev:1;)
  
Here is a script to exercise snort using the conf file and pcap file.

  #!/bin/bash
  if [ $# -gt 0 ]; then
    LOG=$1
  else
    echo gimmi a pcap file
    exit 1
  fi
  BINARY_LOG=/tmp/xx
  [ -d $BINARY_LOG ] || mkdir -p $BINARY_LOG
  rm -f $BINARY_LOG/{alert,scan}
  snort -r $LOG -N -o -c xx.conf

The core file generated looks roughly like so:
(gdb) bt
#0  ubi_btKillTree (RootPtr=0x28205345, FreeNode=0x807c128 <KillSpd>)
    at ubi_BinTree.c:906
#1  0x807bd06 in AlertFlushStream (p=0xbffff0e0, session=0x8104b68)
    at spp_stream4.c:2295
#2  0x80575f3 in Preprocess (p=0xbffff0e0) at rules.c:3439
#3  0x804b5f0 in ProcessPacket (user=0x0, pkthdr=0xbffff58c, pkt=0x80daf9b "P")
    at snort.c:519
#4  0x8087d1c in pcap_offline_read ()
#5  0x807ebb2 in pcap_loop ()
#6  0x804cb36 in InterfaceThread (arg=0x0) at snort.c:1450
#7  0x804b4d4 in main (argc=7, argv=0xbffff72c) at snort.c:452

(gdb) up
#1  0x807bd06 in AlertFlushStream (p=0xbffff0e0, session=0x8104b68)
    at spp_stream4.c:2295
2295        (void)ubi_trKillTree(Root, KillSpd);

(gdb) print ssn
$1 = (Session *) 0x8104b68

(gdb) x/28 0x8104b68
0x8104b68:      0x40246be8      0x40246be8      0x00000000      0x00003819
0x8104b78:      0x40246be8      0x40246be8      0x204f544e      0x6e657665
0x8104b88:      0x73282074      0x632c6469      0x732c6469      0x616e6769
0x8104b98:      0x65727574      0x6d69742c      0x61747365      0x2029706d
0x8104ba8:      0x554c4156      0x28205345      0x2c273127      0x38312720
0x8104bb8:      0x27202c27      0x202c2731      0x30303227      0x37302d31
0x8104bc8:      0x2039322d      0x333a3030      0x39323a30      0x2737302d

Above byte swapped and hextotex'd:

  e86b2440  e86b2440  00000000  19380000  e86b2440 :  k$@ k$@     8   k$@ :
  e86b2440  4e544f20  6576656e  74202873  69642c63 :  k$@NTO event (sid,c :
  69642c73  69676e61  74757265  2c74696d  65737461 : id,signature,timesta :
  6d702920  56414c55  45532028  2731272c  20273138 : mp) VALUES ('1', '18 :
  272c2027  31272c20  27323030  312d3037  2d323920 : ', '1', '2001-07-29  :
  30303a33  303a3239  2d303727                     : 00:30:29-07'         :

And, here is the acid incident report which made it to the sql server
before the core dump:

  Generated by ACID v0.9.6b11 on Mon July 30, 2001 12:56:55
  
  ------------------------------------------------------------------------------
  #(1 - 18) [2001-07-29 00:30:29] [arachNIDS/203]  BACKDOOR Q access
  IPv4: 255.255.255.255 -> 141.111.171.204
        hlen=5 TOS=0 dlen=43 ID=0 flags=0 offset=0 TTL=14 chksum=29586
  TCP:  port=31337 -> dport: 515  flags=***A*R** seq=0
        ack=0 off=5 res=0 win=0 urp=0 chksum=10170
  Payload:  length = 3
  
  000 : 63 6B 6F                                          cko

Notice that the sid and cid and date are identical.

Now, for some serious debugging ...

Later,

Phil




More information about the Snort-devel mailing list