[Snort-devel] [ snort-Bugs-491771 ] core dump: Ethernet destination/ARP targ

noreply at ...12... noreply at ...12...
Sat Jan 12 18:39:03 EST 2002


Bugs item #491771, was opened at 2001-12-11 14:09
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=491771&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Jed Pickel (jpickel)
Summary: core dump: Ethernet destination/ARP targ

Initial Comment:
While running v1.8.2 and v1.8.3 with logging to mysql, snort core's often with:

root at ...1014.../etc: gdb /usr/local/bin/snort snort.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `snort'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.2...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/local/lib/libmysqlclient.so.10...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x805ec64 in Database (p=0xbfbff60c,
    msg=0x808a980 "Ethernet destination/ARP target address mismatch",
    arg=0x80b8580, event=0xbfbff588) at spo_database.c:992
992                          p->iph->ip_proto, ntohs(p->iph->ip_csum));
(gdb)


----------------------------------------------------------------------

Comment By: Roman Danyliw (danyliw)
Date: 2002-01-12 08:52

Message:
Logged In: YES 
user_id=136911

Patch submitted to snort-devel.

Here it is again.

Roman

--- spo_database.c.old	Sat Jan 12 10:34:15 2002
+++ spo_database.c	Sat Jan 12 10:37:36 2002
@@ -968,10 +968,12 @@
         }   
 
         /*** Build the query for the IP Header ***/
-        query = NewQueryNode(query, 0);
-
-        if(data->detail)
+        if ( p->iph )
         {
+          query = NewQueryNode(query, 0);
+
+          if(data->detail)
+          {
             snprintf(query->val, MAX_QUERY_LENGTH, 
 
                      "INSERT INTO iphdr "
@@ -990,9 +992,9 @@
                      p->iph->ip_tos, ntohs(p->iph->ip_len),
ntohs(p->iph->ip_id), 
                      p->frag_flag, ntohs(p->frag_offset),
p->iph->ip_ttl, 
                      p->iph->ip_proto,
ntohs(p->iph->ip_csum));
-        }
-        else
-        {
+          }
+          else
+          {
             snprintf(query->val, MAX_QUERY_LENGTH, 
 
                      "INSERT INTO iphdr "
@@ -1002,11 +1004,11 @@
 
                      data->shared->sid, data->shared->cid,
(u_long)ntohl(p->iph->ip_src.s_addr),
                      (u_long)ntohl(p->iph->ip_dst.s_addr),
p->iph->ip_proto);
-        }
+          }
 
-        /*** Build querys for the IP Options ***/
-        if(data->detail)
-        {
+          /*** Build querys for the IP Options ***/
+          if(data->detail)
+          {
             for(i=0 ; i < (int)(p->ip_option_count); i++)
             {
                 if(&p->ip_options[i])
@@ -1029,11 +1031,14 @@
                     free(tmp);
                 }
             }
+          }
         }
 
         /*** Build query for the payload ***/
-        if(data->detail)
+        if ( p->data )
         {
+          if(data->detail)
+          {
             if(p->dsize)
             {
                 query = NewQueryNode(query, p->dsize * 2 +
MAX_QUERY_LENGTH);
@@ -1064,6 +1069,7 @@
                 free (tmp);
                 free (tmp_not_escaped);
             }
+          }
         }
     }


----------------------------------------------------------------------

Comment By: Martin Roesch (roesch)
Date: 2001-12-14 07:50

Message:
Logged In: YES 
user_id=18573

Database plugin needs to be updated to account for logging
non-IP packets.  This is in Jed's ballpark.

     -Marty

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2001-12-11 14:26

Message:
Logged In: NO 

System Architecture: x86
Operating System and version: FreeBSD 4.4-STABLE
What rules (if any) you were using: all except icmp related
What command line switches you were using: -D -i fxp0
Any Snort error messages: N/A

bt output:

(gdb) bt
#0  0x805ec64 in Database (p=0xbfbff798, 
    msg=0x808a980 "Ethernet destination/ARP target address mismatch", 
    arg=0x80b8580, event=0xbfbff714) at spo_database.c:992
#1  0x8056289 in CallAlertPlugins (p=0xbfbff798, 
    message=0x808a980 "Ethernet destination/ARP target address mismatch", 
    args=0x0, event=0xbfbff714) at rules.c:3632
#2  0x8056222 in CallAlertFuncs (p=0xbfbff798, 
    message=0x808a980 "Ethernet destination/ARP target address mismatch", 
    head=0x0, event=0xbfbff714) at rules.c:3604
#3  0x8078621 in ARPspoofPreprocFunction (p=0xbfbff798) at spp_arpspoof.c:262
#4  0x80560db in Preprocess (p=0xbfbff798) at rules.c:3508
#5  0x804aaf5 in ProcessPacket (user=0x0, pkthdr=0x80b9000, 
    pkt=0x80b9012 "ÿÿÿÿÿÿ") at snort.c:536
#6  0x280c26b9 in pcap_read () from /usr/lib/libpcap.so.2
#7  0x280c232f in pcap_loop () from /usr/lib/libpcap.so.2
#8  0x804c202 in InterfaceThread (arg=0x0) at snort.c:1663
#9  0x804a9e5 in main (argc=6, argv=0xbfbffd4c) at snort.c:469
(gdb) quit


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=491771&group_id=3357




More information about the Snort-devel mailing list