[Snort-devel] Re: tag: segfaults;

Pascal Bouchareine pb at ...858...
Mon Nov 5 07:18:03 EST 2001


Okay, guess I have it.

This is snort 1.8.2, same behaviour with an older copy from cvs.

Repeated this behaviour only with snort running in daemon mode (-D).

The ssn_tag_cache_ptr sounds unitialized in the forked process.
Having a closer look, I noticed a little mess around conf_done,
ReadConfFile(), and there seems to be a missing InitTag(), in 
ReadConfFile() line 3192.

This works fine now this init() is done.

On Mon, Nov 05, 2001 at 02:01:55PM +0100, Pascal Bouchareine wrote:
> Hi,
> 
> Using snort with an output database: alert, ... and a log_tcpdump,
> the following test rule :
> 
> alert TCP $INTERNAL_AUDIT any -> $ORACLE 1024: (\
>                                     msg: "audited sqlplus login"; \
>                                     flags: A+; content: "SQL*Plus"; \
>                                     classtype: policy; \
>                                     tag: session, 300, packets;)
> 
> Snort dumps core when the rule is triggered.
> 
> snoop3# gdb --core /opt/snort/etc/snort.core /opt/snort/bin/snort
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-unknown-freebsd"...
> Core was generated by `snort'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/lib/libz.so.2...done.
> Reading symbols from /usr/lib/libpcap.so.2...done.
> Reading symbols from /usr/lib/libm.so.2...done.
> Reading symbols from /usr/local/lib/mysql/libmysqlclient.so.6...done.
> Reading symbols from /usr/lib/libc.so.4...done.
> Reading symbols from /usr/lib/libcrypt.so.2...done.
> Reading symbols from /usr/libexec/ld-elf.so.1...done.
> #0  0x0 in ?? ()
> (gdb) bt
> #0  0x0 in ?? ()
> #1  0x807372d in qFind (cmp=0, FindMe=0xbfbff50c, p=0x8171a80)
>     at ubi_BinTree.c:236
> #2  0x8073c45 in ubi_btFind (RootPtr=0x80a55d0, FindMe=0xbfbff50c)
>     at ubi_BinTree.c:866
> #3  0x8074047 in ubi_sptFind (RootPtr=0x80a55d0, FindMe=0xbfbff50c)
>     at ubi_SplayTree.c:458
> #4  0x8071122 in CheckTagList (p=0xbfbff614, event=0xbfbff590) at tag.c:424
> #5  0x8055f88 in Detect (p=0xbfbff614) at rules.c:3704
> #6  0x8055d2b in Preprocess (p=0xbfbff614) at rules.c:3515
> #7  0x804abc9 in ProcessPacket (user=0x0, pkthdr=0x817b80c, pkt=0x817b81e "\b")
>     at snort.c:545
> #8  0x280c282d in pcap_read () from /usr/lib/libpcap.so.2
> #9  0x280c251b in pcap_loop () from /usr/lib/libpcap.so.2
> #10 0x804c0a2 in InterfaceThread (arg=0x0) at snort.c:1586
> #11 0x804aab9 in main (argc=6, argv=0xbfbffbc8) at snort.c:478
> #12 0x804a351 in _start ()
> (gdb) f 4
> #4  0x8071122 in CheckTagList (p=0xbfbff614, event=0xbfbff590) at tag.c:424
> 424         returned = (TagNode *) ubi_sptFind(ssn_tag_cache_ptr, (ubi_btItemPtr)&idx);
> (gdb) print ssn_tag_cache_ptr 
> $1 = 0x80a55d0
> (gdb) print *ssn_tag_cache_ptr 
> $2 = {root = 0x8171a80, cmp = 0, count = 1, flags = 0 '\000'}
> (gdb) quit
> snoop3# exit
> 
> snoop3# ldd /opt/snort/bin/snort
> /opt/snort/bin/snort:
>         libz.so.2 => /usr/lib/libz.so.2 (0x280a8000)
>         libpcap.so.2 => /usr/lib/libpcap.so.2 (0x280b5000)
>         libm.so.2 => /usr/lib/libm.so.2 (0x280ce000)
>         libmysqlclient.so.6 => /usr/local/lib/mysql/libmysqlclient.so.6 (0x280e9000)
>         libc.so.4 => /usr/lib/libc.so.4 (0x28102000)
>         libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28197000)
> 
> 
> My gdb / set args / run attempt to set some watchpoints on ssn_tag_cache_ptr
> moved the stack, so that i can't reproduce the problem using gdb (and
> snort logs the packets to tcpdump_.. as expected).
> 
> The system is running FreeBSD 4.2-REL, snort is compiled using gcc 2.95.2
> 991024-rel.
> 
> Is it a known issue ?
> Do you expect any more details about this configuration ?
> 
> -- 
> Kalou
>       sed 's/[ -`b-jm-~]//g' /etc/termcap | grep '^\(k[^lk]\)\{2\}[^ka]$'

-- 
Kalou
      sed 's/[ -`b-jm-~]//g' /etc/termcap | grep '^\(k[^lk]\)\{2\}[^ka]$'




More information about the Snort-devel mailing list