[Snort-devel] Version 1.8.3 (Build 87)

Phil Wood cpw at ...86...
Tue Nov 20 12:52:14 EST 2001


Marty,

I've got a "-b" file which, when passed through snort like so:

  run -r last.CR-causescore  -N -q -A fast -o -c /tmp/CR.conf -F /tmp/bpf

gets a:

  Program received signal SIGSEGV, Segmentation fault.
0x807cdc9 in StoreStreamPkt (ssn=0x8c7fba8, p=0xbffff1a0, pkt_seq=3314385064)
    at spp_stream4.c:2602
2602        returned = (StreamPacketData *) ubi_sptFind(s->dataPtr, (ubi_btItemPtr)spd);

I'm in the throes of zeroing in on the problem.  Have you already seen this?
Or, should I keep throe'n?

Later,

Phil

PS: I gave snort a bpf filter of "ip", cause snort is also formating 
packets with nimda data, but 0 in the beginning of the packet.  Hex at bottom
of this message.

PSS: I sent you a brief mention of this a while back, but think it went
to an old address of yours.

==============================  gdb  info  ===================================
(gdb) list
2597            return;
2598        }
2599
2600
2601        /* check for retransmissions */
2602        returned = (StreamPacketData *) ubi_sptFind(s->dataPtr, (ubi_btItemPtr)spd);
2603
2604        if(returned != NULL)
2605        {
2606            if(returned->payload_size == p->dsize && 
(gdb) print *s
Cannot access memory at address 0x8c7fbf0
(gdb) print *p
$1 = {pkth = 0xbffff640, pkt = 0x8158042 "", fddihdr = 0x0, fddisaps = 0x0, 
  fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, 
  trhmr = 0x0, sllh = 0x0, eh = 0x8158042, vh = 0x0, ehllc = 0x0, 
  ehllcother = 0x0, ah = 0x0, iph = 0x8158050, orig_iph = 0x0, 
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x8158064, 
  orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0, 
  orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, 
  data = 0x8158078 "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\nHost: www\r\nConnnection: close\r\n\r\nnnnection: close\r\n\r\nr HTTP/1.0\r\nHost: www\r\nConnnection: close\r\n\r\n", dsize = 80, frag_flag = 0 '\000', frag_offset = 0, 
  mf = 0 '\000', df = 1 '\001', rf = 0 '\000', sp = 2292, dp = 80, 
  orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, length = 0}, 
  ssnptr = 0x8c7fba8, ip_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, ip_option_count = 0, 
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0, 
  tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4}
(gdb) print *ssn
$2 = {Node = {Link = {0x0, 0x0, 0x0}, gender = 0 '\000', balance = 0 '\000'}, 
  server = {ip = 135632744, port = 38814, state = 21 '\025', isn = 1006263450, 
    current_seq = 268748, base_seq = 134, last_ack = 134, win_size = 32936, 
    pkts_sent = 8781904, bytes_sent = 10331, data = {root = 0x0, cmp = 0, 
      count = 17, flags = -24 '�'}, dataPtr = 0x401b2d10}, client = {
    ip = 791686704, port = 17, state = 0 '\000', isn = 134583936, 
    current_seq = 138430712, base_seq = 0, last_ack = 17, win_size = 38692, 
    pkts_sent = 138437616, bytes_sent = 0, data = {root = 0x19, cmp = 0xa580, 
      count = 65535, flags = 0 '\000'}, dataPtr = 0x8406120}, start_time = 0, 
  last_session_time = 521, session_flags = 138431272}
(gdb)  


===============================  headers sorely lacking ======================
tcpdump -n -r last.CR-causescore -x -s 1514 -c 1 not ip | hextotex
1 packets received by filter
00:02:03.211737 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=1500
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000a77  00508480 :                w P   :
  5b33ec41  caf15018  77c40000  00000000  00000000 : {3 A  P w            :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00004745  54202f64 :               GET /d :
  65666175  6c742e69  64613f4e  4e4e4e4e  4e4e4e4e : efault.ida?NNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e00  00000000 : NNNNNNNNNNNNNNN      :
  00000000  00000000  0000c303  00000078  00fa2025 :                x   % :
  75393039  30257536  38353825  75636264  33257537 : u9090%u6858%ucbd3%u7 :
  38303125  75393039  30257536  38353825  75636264 : 801%u9090%u6858%ucbd :
  33257537  38303125  75393039  30257539  30393025 : 3%u7801%u9090%u9090% :
  75383139  30257530  30633325  75303030  33257538 : u8190%u00c3%u0003%u8 :
  62303025  75353331  62257535  33666625  75303037 : b00%u531b%u53ff%u007 :
  38257530  30303025  7530303d  61202048  5454502f : 8%u0000%u00=a  HTTP/ :
  312e300d  0a436f6e  74656e74  2d747970  653a2074 : 1.0  Content-type: t :
  6578742f  786d6c0a  484f5354  3a777777  2e776f72 : ext/xml HOST:www.wor :
  6d2e636f  6d0a2041  63636570  743a202a  2f2a0a43 : m.com  Accept: */* C :
  6f6e7465  6e742d6c  656e6774  683a2033  35363920 : ontent-length: 3569  :
  0d0a0d0a  558bec81  ec180200  00535657  8dbde8fd :     U        SVW     :
  ffffb986  000000b8  cccccccc  f3abc785  70feffff :                 p    :
  00000000  e90a0b00  008f8568  feffff8d  bdf0feff :            h         :
  ff64a100  00000089  47086489  3d000000  00e96f0a :  d      G d =     o  :
  00008f85  60feffff  c785f0fe  ffffffff  ffff8b85 :     `                :
  68feffff  83e80789  85f4feff  ffc78558  feffff00 : h              X     :
  00e077e8  9b0a0000  83bd70fe  ffff000f  85dd0100 :   w       p          :
  008b8d58  feffff81  c1000001  00898d58  feffff81 :    X           X     :
  bd58feff  ff000000  78750ac7  8558feff  ff0000f0 :  X      xu   X       :
  bf8b9558  feffff33  c0668b02  3d4d5a00  000f859a :    X   3 f  =MZ      :
  0100008b  8d58feff  ff8b513c  8b8558fe  ffff33c9 :      X    Q<  X   3  :
  668b0c10  81f95045  00000f85  79010000  8b9558fe : f     PE    y     X  :
  ffff8b42  3c8b8d58  feffff8b  54017803  9558feff :    B<  X    T x  X   :
  ff899554  feffff8b  8554feff  ff8b480c  038d58fe :    T     T    H   X  :
=========================  end-o-stuff =======================================




More information about the Snort-devel mailing list