[Snort-devel] [ snort-Bugs-464851 ] problem with xml output

noreply at ...12... noreply at ...12...
Sat Jan 12 18:39:05 EST 2002


Bugs item #464851, was opened at 2001-09-25 08:34
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=464851&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Jed Pickel (jpickel)
Summary: problem with xml output

Initial Comment:
System info:
	SunOS 5.8 Generic_108528-08 sun4u sparc
	SUNW,Sun-Blade-100

Snort cvs version updated on 09-25-2001 dumping core
while useing xml output plugin gdb trace follows

#0  0xff1422d0 in _free_unlocked () from
/usr/lib/libc.so.1
#1  0xff142288 in free () from /usr/lib/libc.so.1
#2  0x4b10c in freetag (root=0x66ec08) at
spo_xml.c:1326
#3  0x4b0e8 in freetag (root=0x66eb48) at
spo_xml.c:1322
#4  0x4b0e8 in freetag (root=0x16dc60) at
spo_xml.c:1322
#5  0x4b058 in flush_data (d=0x17b7b8) at
spo_xml.c:1302
#6  0x49f58 in LogXml (p=0x66eb48, msg=0x0,
arg=0x17b7b8, event=0x66ec08)
    at spo_xml.c:520
#7  0x3b284 in CallLogFuncs (p=0xffbee538,
message=0x31c9f0 "DDOS Trin00",
    head=0x17b3f8, event=0x3217cc) at rules.c:3492
#8  0x3c638 in AlertAction (p=0xffbee538, otn=0x320fa8,
event=0x3217cc)
    at rules.c:4977
#9  0x3b74c in EvalHeader (rtn_idx=0x320b50,
p=0xffbee538) at rules.c:3812
#10 0x3b5ec in EvalPacket (List=0x1585b0, mode=2,
p=0xffbee538) at rules.c:3711
#11 0x3b434 in Detect (p=0xffbee538) at rules.c:3604
#12 0x3b1e4 in Preprocess (p=0xffbee538) at
rules.c:3447
#13 0x2e8a4 in ProcessPacket (user=0x0,
pkthdr=0x168400, pkt=0x16e542 "")
    at snort.c:530
#14 0x63e80 in pcap_read ()
#15 0x64ab4 in pcap_loop ()
#16 0x2ffdc in InterfaceThread (arg=0x16866c) at
snort.c:1570
#17 0x2e740 in main (argc=1476204, argv=0xffbeec34) at
snort.c:463

#1  0xff142288 in free () from /usr/lib/libc.so.1
#2  0x4b10c in freetag (root=0x66ec08) at
spo_xml.c:1326
1326        free(root->value);
#3  0x4b0e8 in freetag (root=0x66eb48) at
spo_xml.c:1322
1322                freetag(root->tag[x]);
#4  0x4b0e8 in freetag (root=0x16dc60) at
spo_xml.c:1322
1322                freetag(root->tag[x]);
#5  0x4b058 in flush_data (d=0x17b7b8) at
spo_xml.c:1302
1302        if(d->root) freetag(d->root);
#6  0x49f58 in LogXml (p=0x66eb48, msg=0x0,
arg=0x17b7b8, event=0x66ec08)
    at spo_xml.c:520
520             flush_data(d);
#7  0x3b284 in CallLogFuncs (p=0xffbee538,
message=0x31c9f0 "DDOS Trin00",
    head=0x17b3f8, event=0x3217cc) at rules.c:3492
3492            idx->func(p, message, idx->arg, event);
#8  0x3c638 in AlertAction (p=0xffbee538, otn=0x320fa8,
event=0x3217cc)
    at rules.c:4977
4977            CallLogFuncs(p, otn->message,
otn->rtn->listhead, event);
#9  0x3b74c in EvalHeader (rtn_idx=0x320b50,
p=0xffbee538) at rules.c:3812
3812                        AlertAction(p, otn_tmp,
&otn_tmp->event_data);
#10 0x3b5ec in EvalPacket (List=0x1585b0, mode=2,
p=0xffbee538) at rules.c:3711
3711            retval = EvalHeader(rtn_idx, p);
#11 0x3b434 in Detect (p=0xffbee538) at rules.c:3604
3604            if(EvalPacket(rule->RuleList,
rule->mode, p))
#12 0x3b1e4 in Preprocess (p=0xffbee538) at
rules.c:3447
3447            retval = Detect(p);
#13 0x2e8a4 in ProcessPacket (user=0x0,
pkthdr=0x168400, pkt=0x16e542 "")
    at snort.c:530
530             Preprocess(&p);
#14 0x63e80 in pcap_read ()
#15 0x64ab4 in pcap_loop ()
#16 0x2ffdc in InterfaceThread (arg=0x16866c) at
snort.c:1570
1570        if(pcap_loop(pds[myint], pv.pkt_cnt,
(pcap_handler) ProcessPacket,
NULL) < 0)
#17 0x2e740 in main (argc=1476204, argv=0xffbeec34) at
snort.c:463
463         InterfaceThread(NULL);

----------------------------------------------------------------------

Comment By: Roman Danyliw (danyliw)
Date: 2002-01-12 09:52

Message:
Logged In: YES 
user_id=136911

Patch submitted to snort-devel.

Roman

----------------------------------------------------------------------

Comment By: Ron Fritz (rcf)
Date: 2001-12-20 09:43

Message:
Logged In: YES 
user_id=407269

Sending certain large ICMP packets past snort with full XML 
logging seems to crash snort and/or produce bad XML. 
Digging into spo_xml.c (from 1.8.3), it looks like the 
problem stems from the if/else statements at lines 1573, 
1590, and 1621. If none of these tests are true (i.e., no 
recorded header in the packet?), the Tag *tmp variable is 
never initialized. This causes the addtag calls at 1642, 
1644, or 1646 to attach the packet data to the wrong tag.

----------------------------------------------------------------------

Comment By: Martin Roesch (roesch)
Date: 2001-09-27 22:17

Message:
Logged In: YES 
user_id=18573

Assigned to Jed...

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=464851&group_id=3357




More information about the Snort-devel mailing list