[Snort-devel] bug in latest cvs

mitchell mitchell at ...1518...
Thu Aug 1 06:18:27 EDT 2002


- System Architecture = alpha EV6
- Operating System and version = linux 2.4.18 compiler 2.96-rh
- Version of snort = cvs from jul 30 3:00pm CST
- What preprocessors you loaded = 
	<snip>
	stream4: detect_state_problem, disable_evasion_alerts
	frag2
	preprocessor stream4_reassemble noalerts
	preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
	iis_flip_slash full_whitespace
	preprocessor rpc_decode: 111 32771
	preprocessor bo: -nobrute
	preprocessor telnet_decode
	preprocessor asn1_decode
	preprocessor conversation: allowed_ip_protocols all, timeout 60,
	max_conversations 32000
	preprocessor portscan2: scanners_max 3200, targets_max 5000,
	target_limit 5, port_limit 20, timeout 60
	</snip>
-What rules (if any) you were using = 
	all the default rules that come with 1.9.x cvs
What output plug-ins you loaded = 
	<snip>
	output alert_unified: filename snort.alert, limit 256
	output log_unified: filename snort.log, limit 256
	</snip>

- What command line switches you were using = 
	-c /etc/snort/snort.conf -i eth1 -D


-- the core file backtrace with --enable-debug 

gdb snort core 
GNU gdb Red Hat Linux (5.1-0.71)
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "alpha-redhat-linux"...
Core was generated by `./snort -c /etc/snort/snort.conf -i eth1 -D'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libm.so.6.1...done.
Loaded symbols for /lib/libm.so.6.1
Reading symbols from /lib/libnsl.so.1.1...done.
Loaded symbols for /lib/libnsl.so.1.1
Reading symbols from /lib/libc.so.6.1...done.
Loaded symbols for /lib/libc.so.6.1
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
#0  0x120043e58 in PreprocUrlDecode (p=0x11ffff0e0) at
spp_http_decode.c:430
430             index++;
(gdb) bt
#0  0x120043e58 in PreprocUrlDecode (p=0x11ffff0e0) at
spp_http_decode.c:430
#1  0x120022404 in Preprocess (p=0x11ffff0e0) at detect.c:80
#2  0x120019c60 in ProcessPacket (user=0x120067954 "SNORT_DEBUG", 
    pkthdr=0x120076a75, pkt=0x12015bed8 "*\002âÐ") at snort.c:580
    #3  0x120056f58 in pcap_read_packet ()
    #4  0x120058818 in pcap_loop ()
    #5  0x12001bc4c in InterfaceThread (arg=0x120067954) at snort.c:1612
    #6  0x120019a4c in SnortMain (argc=537521168, argv=0x1200b3920) at
    snort.c:514
    #7  0x120019118 in main (argc=537295188, argv=0x120019a80) at
    snort.c:95
    #8  0x2000012a85c in __libc_start_main (main=0x120019100 <main>,
    argc=6, ubp_av=0x11ffff9b8, init=0x120002ca0 <_init>, 
    fini=0x2000002b800 <_dl_debug_mask>, rtld_fini=0x2c6edf52, 
    stack_end=0x11ffff9a0) at
    ../sysdeps/generic/libc-start.c:129
		

This is a sensor seeing ~5000-7000 packets a second 
snort 1.8.7 does fine on the machine stays up for months at a time.

If you  need or want any more information just let me know.

Thanks,
Mitchell




More information about the Snort-devel mailing list