[Snort-devel] [ snort-Bugs-484813 ] snort 1.8.2 crash on 50Mb traffic with r

noreply at ...12... noreply at ...12...
Mon Nov 26 20:47:05 EST 2001


Bugs item #484813, was opened at 2001-11-23 02:22
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=484813&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: snort 1.8.2 crash on 50Mb traffic with r

Initial Comment:
Hello,
Here is my Bug report : 
archi : Sun sparc
OS : solaris 2.7 (Sun OS 5.7)
We are using all the signatures
We launch snort thru Demarc 1.4.02, and it's look like
 : ./snort -i hme0 -o -D -v -c
/usr/local/etc/snort/snort.conf

During our NIDS tests, we systematicaly have snort
1.8.2 (with or without snmp and mysql on) which crash
under 
50 Mb traffic composed of tiny packets of 64 bits. We
test it on sun plateform under solaris 2.7.
We just change "preprocessor stream4_reassemble"
options from default to "both:port all"
We change this option because we would test snort
ability to detect  fragmented attack on heavy traffic.
On a established 50Mb traffic, We start snort, it
detects some fragmented attack, but not all, then after
some minutes it crash with a core dump.
On a 25Mb traffic it doesn't crash and detects all
fragmented attacks.
Can someone have an explanation of this crash , is
snort limited to small traffic when we ask it to
reassemble packet.

Here  are the traces of gdb :
GNU gdb 4.18Copyright 1998 Free Software Foundation,
Inc.GDB is free software, covered by the GNU General
Public License, and you arewelcome to change it and/or
distribute copies of it under certain conditions.Type
"show copying" to see the conditions.There is
absolutely no warranty for GDB.  Type "show warranty"
for details.This GDB was configured as
"sparc-sun-solaris2.7"...warning: exec file is newer
than core file.Core was generated by `./snort -i hme0
-o -D -v -c /usr/local/etc/snort/snort.conf'.Program
terminated with signal 10, Bus Error.
Reading symbols from /usr/lib/libkstat.so.1...done.
Reading symbols from /usr/local/lib/libz.so...done.
Reading symbols from /usr/lib/libm.so.1...done.
Reading symbols from /usr/lib/libsocket.so.1...done.
Reading symbols from /usr/lib/libnsl.so.1...done.
Reading symbols from
/usr/local/lib/libsnmp-0.4.2.1.so...done.
Reading symbols from /usr/lib/libc.so.1...done.
Reading symbols from /usr/lib/libdl.so.1...done.
Reading symbols from /usr/lib/libmp.so.2...done.
Reading symbols from
/usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1...done.
Reading symbols from /usr/lib/nss_files.so.1...done.
#0  Preprocess (p=0x13d7b8) at rules.c:3508
3508    rules.c: No such file or directory.
(gdb) bt
#0  Preprocess (p=0x13d7b8) at rules.c:3508
#1  0x5c900 in FlushStream (s=0x12bd08, p=0xffbef5c0,
direction=1023084) at spp_stream4.c:2668
#2  0x59d58 in ReassembleStream4 (p=0xffbef5c0) at
spp_stream4.c:1163
#3  0x32e84 in Preprocess (p=0xffbef5c0) at rules.c:3508
#4  0x25104 in ProcessPacket (user=0x0,
pkthdr=0x11a000, pkt=0x1236c6 "\b") at snort.c:545
#5  0x5f860 in pcap_read ()
#6  0x605ac in pcap_loop ()
#7  0x26aac in InterfaceThread (arg=0x11a214) at
snort.c:1593
#8  0x24fa0 in main (argc=1155604, argv=0xffbefcb4) at
snort.c:478
(gdb) quit
Thank's for your help and debug
Bruno GODARD

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=484813&group_id=3357




More information about the Snort-devel mailing list