[Snort-devel] tag: segfaults;

Pascal Bouchareine pb at ...858...
Mon Nov 5 05:03:01 EST 2001


Using snort with an output database: alert, ... and a log_tcpdump,
the following test rule :

alert TCP $INTERNAL_AUDIT any -> $ORACLE 1024: (\
                                    msg: "audited sqlplus login"; \
                                    flags: A+; content: "SQL*Plus"; \
                                    classtype: policy; \
                                    tag: session, 300, packets;)

Snort dumps core when the rule is triggered.

snoop3# gdb --core /opt/snort/etc/snort.core /opt/snort/bin/snort
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `snort'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.2...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/local/lib/mysql/libmysqlclient.so.6...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x0 in ?? ()
(gdb) bt
#0  0x0 in ?? ()
#1  0x807372d in qFind (cmp=0, FindMe=0xbfbff50c, p=0x8171a80)
    at ubi_BinTree.c:236
#2  0x8073c45 in ubi_btFind (RootPtr=0x80a55d0, FindMe=0xbfbff50c)
    at ubi_BinTree.c:866
#3  0x8074047 in ubi_sptFind (RootPtr=0x80a55d0, FindMe=0xbfbff50c)
    at ubi_SplayTree.c:458
#4  0x8071122 in CheckTagList (p=0xbfbff614, event=0xbfbff590) at tag.c:424
#5  0x8055f88 in Detect (p=0xbfbff614) at rules.c:3704
#6  0x8055d2b in Preprocess (p=0xbfbff614) at rules.c:3515
#7  0x804abc9 in ProcessPacket (user=0x0, pkthdr=0x817b80c, pkt=0x817b81e "\b")
    at snort.c:545
#8  0x280c282d in pcap_read () from /usr/lib/libpcap.so.2
#9  0x280c251b in pcap_loop () from /usr/lib/libpcap.so.2
#10 0x804c0a2 in InterfaceThread (arg=0x0) at snort.c:1586
#11 0x804aab9 in main (argc=6, argv=0xbfbffbc8) at snort.c:478
#12 0x804a351 in _start ()
(gdb) f 4
#4  0x8071122 in CheckTagList (p=0xbfbff614, event=0xbfbff590) at tag.c:424
424         returned = (TagNode *) ubi_sptFind(ssn_tag_cache_ptr, (ubi_btItemPtr)&idx);
(gdb) print ssn_tag_cache_ptr 
$1 = 0x80a55d0
(gdb) print *ssn_tag_cache_ptr 
$2 = {root = 0x8171a80, cmp = 0, count = 1, flags = 0 '\000'}
(gdb) quit
snoop3# exit

snoop3# ldd /opt/snort/bin/snort
        libz.so.2 => /usr/lib/libz.so.2 (0x280a8000)
        libpcap.so.2 => /usr/lib/libpcap.so.2 (0x280b5000)
        libm.so.2 => /usr/lib/libm.so.2 (0x280ce000)
        libmysqlclient.so.6 => /usr/local/lib/mysql/libmysqlclient.so.6 (0x280e9000)
        libc.so.4 => /usr/lib/libc.so.4 (0x28102000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28197000)

My gdb / set args / run attempt to set some watchpoints on ssn_tag_cache_ptr
moved the stack, so that i can't reproduce the problem using gdb (and
snort logs the packets to tcpdump_.. as expected).

The system is running FreeBSD 4.2-REL, snort is compiled using gcc 2.95.2

Is it a known issue ?
Do you expect any more details about this configuration ?

      sed 's/[ -`b-jm-~]//g' /etc/termcap | grep '^\(k[^lk]\)\{2\}[^ka]$'

More information about the Snort-devel mailing list