[Snort-devel] snort 1.8.2 crash on 50Mb traffic with reassembly directive on

Bruno GODARD Bruno.GODARD at ...949...
Fri Nov 16 00:58:01 EST 2001

Here is my Bug report :
archi : Sun sparc
OS : solaris 2.7 (Sun OS 5.7)
We are using all the signatures
We launch snort thru Demarc 1.4.02, and it's look like  : ./snort -i hme0 -o -D
-v -c /usr/local/etc/snort/snort.conf

During our NIDS tests, we systematicaly have snort 1.8.2 (with or without snmp
and mysql on) which crash under
50 Mb traffic composed of tiny packets of 64 bits. We test it on sun plateform
under solaris 2.7.
We just change "preprocessor stream4_reassemble" options from default to
"both:port all"
We change this option because we would test snort ability to detect  fragmented
attack on heavy traffic.
On a established 50Mb traffic, We start snort, it detects some fragmented
attack, but not all, then after some minutes it crash with a core dump.
On a 25Mb traffic it doesn't crash and detects all fragmented attacks.
Can someone have an explanation of this crash , is snort limited to small
traffic when we ask it to reassemble packet.

Here  are the traces of gdb :
GNU gdb 4.18Copyright 1998 Free Software Foundation, Inc.GDB is free software,
covered by the GNU General Public License, and you arewelcome to change it
and/or distribute copies of it under certain conditions.Type "show copying" to
see the conditions.There is absolutely no warranty for GDB.  Type "show
warranty" for details.This GDB was configured as
"sparc-sun-solaris2.7"...warning: exec file is newer than core file.Core was
generated by `./snort -i hme0 -o -D -v -c
/usr/local/etc/snort/snort.conf'.Program terminated with signal 10, Bus Error.
Reading symbols from /usr/lib/libkstat.so.1...done.
Reading symbols from /usr/local/lib/libz.so...done.
Reading symbols from /usr/lib/libm.so.1...done.
Reading symbols from /usr/lib/libsocket.so.1...done.
Reading symbols from /usr/lib/libnsl.so.1...done.
Reading symbols from /usr/local/lib/libsnmp-
Reading symbols from /usr/lib/libc.so.1...done.
Reading symbols from /usr/lib/libdl.so.1...done.
Reading symbols from /usr/lib/libmp.so.2...done.
Reading symbols from /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1...done.
Reading symbols from /usr/lib/nss_files.so.1...done.
#0  Preprocess (p=0x13d7b8) at rules.c:3508
3508    rules.c: No such file or directory.
(gdb) bt
#0  Preprocess (p=0x13d7b8) at rules.c:3508
#1  0x5c900 in FlushStream (s=0x12bd08, p=0xffbef5c0, direction=1023084) at
#2  0x59d58 in ReassembleStream4 (p=0xffbef5c0) at spp_stream4.c:1163
#3  0x32e84 in Preprocess (p=0xffbef5c0) at rules.c:3508
#4  0x25104 in ProcessPacket (user=0x0, pkthdr=0x11a000, pkt=0x1236c6 "\b") at
#5  0x5f860 in pcap_read ()
#6  0x605ac in pcap_loop ()
#7  0x26aac in InterfaceThread (arg=0x11a214) at snort.c:1593
#8  0x24fa0 in main (argc=1155604, argv=0xffbefcb4) at snort.c:478
(gdb) quit
(See attached file: snort.CRASH)

Le contenu de ce message ne represente en aucun cas un 
engagement de la part de Noos sous reserve de tout accord 
conclu par ecrit entre vous et Noos. Toute publication, 
utilisation ou diffusion, meme partielle, doit etre autorisee 
prealablement. Si vous n'etes pas destinataire de ce message, merci d'en 
avertir immediatement l'expediteur.
Pour avoir plus d'informations sur Noos : http://www.noos.com

The content of this message does not constitute a commitment 
by Noos except where provided for in a written agreement 
between you and Noos. Any unauthorised disclosure, use or
dissemination, either whole or partial, is prohibited. If you are not the
intended recipient of the message, please notify the sender immediately.
For more information about us: http://www.noos.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.CRASH
Type: application/octet-stream
Size: 1804 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20011116/42667a13/attachment.obj>

More information about the Snort-devel mailing list