[Snort-devel] Core on FBSD using new SNMP trap code + spade

Rob Hughes rob at ...825...
Sun Jun 16 10:00:02 EDT 2002


I've tried sending email to Glenn a couple days ago, but haven't yet
gotten a response. Using the new snmp trap code, Snort cores on each
spade alert. It's very repeatable, as it happens on every spade alert.
Below is a trace using gdb:

#gdb snort snort.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `snort'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/libidmef.so.7...done.
Reading symbols from /usr/lib/libcipher.so.2...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/local/lib/libsnmp.so.4...done.
Reading symbols from /usr/lib/libssl.so.2...done.
Reading symbols from /usr/lib/libcrypto.so.2...done.
Reading symbols from /usr/lib/libz.so.2...done.
Reading symbols from /usr/local/lib/libxml2.so.6...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x807ffdd in sendInform (p=0x0,
    msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
---Type <return> to continue, or q <return> to quit---
    at spo_SnmpTrap.c:1863
1863        if   (p->iph && SnmpData->pPrint)
(gdb) bt
#0  0x807ffdd in sendInform (p=0x0,
    msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
    at spo_SnmpTrap.c:1863
#1  0x807ee35 in sendSNMPInform (p=0x0,
    msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
    at spo_SnmpTrap.c:953
#2  0x807ee6a in startIDWS (p=0x0,
    msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
0 alerts (of 3)", event=0xbfbff698) at spo_SnmpTrap.c:974
#3  0x807ed53 in SpoSnmpTrap (p=0x0,
    msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
0 alerts (of 3)", arg=0x809dde0, event=0xbfbff698) at spo_SnmpTrap.c:853
#4  0x8058231 in CallAlertPlugins (p=0x0,
    message=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847
after 0 alerts (of 3)", args=0x0, event=0xbfbff698) at rules.c:3692
#5  0x80581c9 in CallAlertFuncs (p=0x0,
    message=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847
after 0 alerts (of 3)", head=0x0, event=0xbfbff698) at rules.c:3664
#6  0x806e01e in set_new_threshold (t=-0.084715272538630704)
    at spp_anomsensor.c:1771
#7  0x806c4b6 in PreprocSpadeAdapt2 (p=0xbfbff7c0) at
spp_anomsensor.c:1039
---Type <return> to continue, or q <return> to quit---
#8  0x8058073 in Preprocess (p=0xbfbff7c0) at rules.c:3558
#9  0x804bf79 in ProcessPacket (user=0x0, pkthdr=0x8147000,
    pkt=0x8147012 "ÿÿÿÿÿÿ") at snort.c:545
#10 0x280deac1 in pcap_read () from /usr/lib/libpcap.so.2
#11 0x280de6f3 in pcap_loop () from /usr/lib/libpcap.so.2
#12 0x804d622 in InterfaceThread (arg=0x0) at snort.c:1674
#13 0x804be5d in main (argc=10, argv=0xbfbffd78) at snort.c:475
(gdb)


I'm using the example from his snort.conf that was distributed with the
patch, so I figure this might have been something that just managed to
slipped through testing.

Thanks,
Rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020616/51f614d3/attachment.sig>


More information about the Snort-devel mailing list