[Snort-devel] Stream4 problem

Sjsnort sjsnort at ...398...
Sat Jun 30 09:47:28 EDT 2001


Hi,

I am running Solaris 2.6/UltraSparc-II Snort 1.8 Beta8 Build 33. After
running snort this way for a while :

snort -d -C -i hme1 -c ../conf/snort.conf -l /sw/snort

-----snort.conf----------
preprocessor defrag
preprocessor stream4: keepstats, noalerts
preprocessor stream4_reassemble: noalerts
preprocessor telnet_decode
preprocessor http_decode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor portscan: $INTERNAL 5 5 portscan
preprocessor portscan-ignorehosts: $DNS_SERVERS

output alert_full: alert
output database: alert, mysql, user=xxxx password=xxxx dbname=snort
host=localhost
------------------------------------

The problems i got were :-

1. Snort crashed. GDB gave this :-
#0  0x5f044 in StoreStreamPkt (ssn=0xfc9b0c, p=0xeffff610,
pkt_seq=3028826970)
    at spp_stream4.c:1877
1877                if(idx->next->seq_num == spd->seq_num)

2. Snort gave several "Ran out of space" errors and stopped logging anything
to the "alert" file. GDB gave this :-
#0  ReassembleIP (froot=0x0) at spp_defrag.c:760
760         psize = (froot->key)->dsize + ((froot->key->frag_offset)<<3); /*
last frag is at top of tree */


Siddhartha







_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-devel mailing list