[Snort-devel] COREdump of snort on a Dual i586 233MMX

Dennis Fleurbaaij dennis at ...856...
Wed Oct 3 04:54:05 EDT 2001


Hi again,

/me bad :) Forgot to post the stack =]


(gdb) bt
#0  0x08065725 in Database (p=0xbffff360, msg=0x80a7900 "Ethernet
destination/ARP target address mismatch", arg=0x810cd18,
event=0xbffff300) at spo_database.c:823
#1  0x0805a45e in CallAlertPlugins (p=0xbffff360, message=0x80a7900
"Ethernet destination/ARP target address mismatch", args=0x0,
event=0xbffff300) at rules.c:3551
#2  0x0805a3d2 in CallAlertFuncs (p=0xbffff360, message=0x80a7900
"Ethernet destination/ARP target address mismatch", head=0x0,
event=0xbffff300) at rules.c:3523
#3  0x0808afaf in ARPspoofPreprocFunction (p=0xbffff360) at
spp_arpspoof.c:263
#4  0x0805a205 in Preprocess (p=0xbffff360) at rules.c:3426
#5  0x0804b08f in ProcessPacket (user=0x0, pkthdr=0xbffff850,
pkt=0x402e2682 "ÿÿÿÿÿÿ") at snort.c:534
#6  0x0808b766 in packet_ring_recv () at eval.c:41
#7  0x0808ba8f in pcap_read () at eval.c:41
#8  0x0808c73f in pcap_loop () at eval.c:41
#9  0x0804c969 in InterfaceThread (arg=0x0) at snort.c:1561
#10 0x0804af2b in main (argc=5, argv=0xbffffaac) at snort.c:467
#11 0x40169e5e in __libc_start_main (main=0x804a800 <main>, argc=5,
ubp_av=0xbffffaac, init=0x8049df4 <_init>, fini=0x8096180 <_fini>,
     rtld_fini=0x4000d3c4 <_dl_fini>, stack_end=0xbffffa9c) at
../sysdeps/generic/libc-start.c:129


(gdb) info locals
data = (struct _DatabaseData *) 0x810cd18
query = (struct _SQLQuery *) 0x8587398
root = (struct _SQLQuery *) 0x8587398
tmp = 0x856b9c8 "\b\021'@\b\021'@03 12:46:34+02"
tmp1 = 0x0
tmp2 = 0x0
tmp3 = 0x80870aa "\203Ä\020¸\020"
tmp_not_escaped = 0x84e5b28 "\020³\005\b8[N\b"
i = -1073745056
select0 = 0x85c0400 "SELECT sig_id FROM signature WHERE sig_name =
'Ethernet destination/ARP target address mismatch' AND  sig_rev = 1 "
select1 = 0x805a769 "\203Ä\020\211À\211Àé´\001"
insert0 = 0xbffff288 "ȹV\b\230sX\b\230sX\b\030Í\020\b¸òÿ¿^¤\005\b`óÿ¿"
sig_id = 1
ds_ptr = (struct _ReferenceData *) 0x0
class_ptr = (struct _PriorityData *) 0x805b391
ref_system_id = 139483072
ref_id = 3221222240
class_id = 0


(gdb) info args
p = (struct _Packet *) 0xbffff360
msg = 0x80a7900 "Ethernet destination/ARP target address mismatch"
arg = (void *) 0x810cd18
event = (struct _Event *) 0xbffff300
(gdb) bt
#0  0x08065725 in Database (p=0xbffff360, msg=0x80a7900 "Ethernet
destination/ARP target address mismatch", arg=0x810cd18,
event=0xbffff300) at spo_database.c:823
#1  0x0805a45e in CallAlertPlugins (p=0xbffff360, message=0x80a7900
"Ethernet destination/ARP target address mismatch", args=0x0,
event=0xbffff300) at rules.c:3551
#2  0x0805a3d2 in CallAlertFuncs (p=0xbffff360, message=0x80a7900
"Ethernet destination/ARP target address mismatch", head=0x0,
event=0xbffff300) at rules.c:3523
#3  0x0808afaf in ARPspoofPreprocFunction (p=0xbffff360) at
spp_arpspoof.c:263
#4  0x0805a205 in Preprocess (p=0xbffff360) at rules.c:3426
#5  0x0804b08f in ProcessPacket (user=0x0, pkthdr=0xbffff850,
pkt=0x402e2682 "ÿÿÿÿÿÿ") at snort.c:534
#6  0x0808b766 in packet_ring_recv () at eval.c:41
#7  0x0808ba8f in pcap_read () at eval.c:41
#8  0x0808c73f in pcap_loop () at eval.c:41
#9  0x0804c969 in InterfaceThread (arg=0x0) at snort.c:1561
#10 0x0804af2b in main (argc=5, argv=0xbffffaac) at snort.c:467
#11 0x40169e5e in __libc_start_main (main=0x804a800 <main>, argc=5,
ubp_av=0xbffffaac, init=0x8049df4 <_init>, fini=0x8096180 <_fini>,
     rtld_fini=0x4000d3c4 <_dl_fini>, stack_end=0xbffffa9c) at
../sysdeps/generic/libc-start.c:129


Maybe this is stupid but I'm going to investigate the  /. I can't
imagine it's okay to put that in the query; this is not the source
of the crash though :/


-- Dennis



Dennis Fleurbaaij wrote:

 > Hi,
 >
 > I'm running snort on my home-firewall but it tends to coredump all
 > over the place on my i386. The version in this trace here is
 > 1.8.1-RELEASE
 > but the CVS version dumps even worse so I assume that the problem is
 > not yet fixed.
 >
 > I run snort with a postresql database.
 >
 > (NOTE: the logging to the db doesn't work unless I compile snort 1.8.1
 > without the -O2 option, any ideas on this one please mail me,
 > the CVS versing works okay though when logging though)
 >
 > So I won't keep you in suspense much longer, here it is:
 >
 > [root at ...857... test]# gdb -c core /software/snort-1.8.1-RELEASE/snort
 > GNU gdb 5.0rh-5 Red Hat Linux 7.1
 > Copyright 2001 Free Software Foundation, Inc.
 > GDB is free software, covered by the GNU General Public License, and
 > you are
 > welcome to change it and/or distribute copies of it under certain
 > conditions.
 > Type "show copying" to see the conditions.
 > There is absolutely no warranty for GDB.  Type "show warranty" for
 > details.
 > This GDB was configured as "i386-redhat-linux"...
 > Core was generated by `snort -p -c /etc/snort/snort.conf -D'.
 > Program terminated with signal 11, Segmentation fault.
 > Reading symbols from /lib/libm.so.6...done.
 > Loaded symbols for /lib/libm.so.6
 > Reading symbols from /lib/libnsl.so.1...done.
 > Loaded symbols for /lib/libnsl.so.1
 > Reading symbols from /usr/lib/libpq.so.2...done.
 > Loaded symbols for /usr/lib/libpq.so.2
 > Reading symbols from /usr/lib/libssl.so.1...done.
 > Loaded symbols for /usr/lib/libssl.so.1
 > Reading symbols from /usr/lib/libcrypto.so.1...done.
 > Loaded symbols for /usr/lib/libcrypto.so.1
 > Reading symbols from /lib/libc.so.6...done.
 > Loaded symbols for /lib/libc.so.6
 > Reading symbols from /lib/libcrypt.so.1...done.
 > Loaded symbols for /lib/libcrypt.so.1
 > Reading symbols from /lib/libresolv.so.2...done.
 > Loaded symbols for /lib/libresolv.so.2
 > Reading symbols from /lib/libdl.so.2...done.
 > Loaded symbols for /lib/libdl.so.2
 > Reading symbols from /lib/ld-linux.so.2...done.
 > Loaded symbols for /lib/ld-linux.so.2
 > Reading symbols from /lib/libnss_files.so.2...done.
 > Loaded symbols for /lib/libnss_files.so.2
 > Reading symbols from /lib/libnss_nisplus.so.2...done.
 > Loaded symbols for /lib/libnss_nisplus.so.2
 > Reading symbols from /lib/libnss_dns.so.2...done.
 > Loaded symbols for /lib/libnss_dns.so.2
 > #0  0x08065725 in Database (p=0xbffff360,
 >    msg=0x80a7900 "Ethernet destination/ARP target address mismatch",
 > arg=0x810cd18, event=0xbffff300)
 >    at spo_database.c:823
 > 823                if(p->iph->ip_proto == IPPROTO_ICMP && p->icmph)
 > (gdb)
 >
 >
 > We can seen that it has something to so with the database driver (
 > spo_database.c ). The comment above that line is:
 >
 > /* query = NewQueryNode(query, 0); */
 >
 > Which kindof leadse me to beleave that i'm wrinting to NULL (or even
 > worse a stray pointer) here. In anycase if someone who wants
 > to help and _CAN_ help is interested, a shell to the machine is
 > available... Or if you're lazy just give me a clue to why this happens
 > and I'll code it myself.
 >
 > Greets and tnx for the (usually) kewl software,
 >  - Dennis Fleurbaaij
 >
 >
 >
 > _______________________________________________
 > Snort-devel mailing list
 > Snort-devel at lists.sourceforge.net
 > https://lists.sourceforge.net/lists/listinfo/snort-devel
 >


-- 
Met vriendelijke groet,

Dennis Fleurbaaij

Voorzitter Stichting CORE
----------------------------
Tel : +31 (0) 6 54 21 53 65
Mail: dennis at ...856...









More information about the Snort-devel mailing list