[Snort-devel] Core on FBSD using new SNMP trap code + spade
Glenn Mansfield Keeni
glenn at ...1085...
Sun Jun 16 19:48:01 EDT 2002
Rob,
My slip. Sorry about that. Will upload a patch shortly.
(Before the end of the day....).
Glenn
Rob Hughes wrote:
> I've tried sending email to Glenn a couple days ago, but haven't yet
> gotten a response. Using the new snmp trap code, Snort cores on each
> spade alert. It's very repeatable, as it happens on every spade alert.
> Below is a trace using gdb:
>
> #gdb snort snort.core
> GNU gdb 4.18 (FreeBSD)
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "i386-unknown-freebsd"...
> Core was generated by `snort'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/local/lib/libidmef.so.7...done.
> Reading symbols from /usr/lib/libcipher.so.2...done.
> Reading symbols from /usr/lib/libpcap.so.2...done.
> Reading symbols from /usr/lib/libm.so.2...done.
> Reading symbols from /usr/local/lib/libsnmp.so.4...done.
> Reading symbols from /usr/lib/libssl.so.2...done.
> Reading symbols from /usr/lib/libcrypto.so.2...done.
> Reading symbols from /usr/lib/libz.so.2...done.
> Reading symbols from /usr/local/lib/libxml2.so.6...done.
> Reading symbols from /usr/lib/libc.so.4...done.
> Reading symbols from /usr/libexec/ld-elf.so.1...done.
> #0 0x807ffdd in sendInform (p=0x0,
> msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
> ---Type <return> to continue, or q <return> to quit---
> at spo_SnmpTrap.c:1863
> 1863 if (p->iph && SnmpData->pPrint)
> (gdb) bt
> #0 0x807ffdd in sendInform (p=0x0,
> msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
> at spo_SnmpTrap.c:1863
> #1 0x807ee35 in sendSNMPInform (p=0x0,
> msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
> at spo_SnmpTrap.c:953
> #2 0x807ee6a in startIDWS (p=0x0,
> msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", event=0xbfbff698) at spo_SnmpTrap.c:974
> #3 0x807ed53 in SpoSnmpTrap (p=0x0,
> msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", arg=0x809dde0, event=0xbfbff698) at spo_SnmpTrap.c:853
> #4 0x8058231 in CallAlertPlugins (p=0x0,
> message=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847
> after 0 alerts (of 3)", args=0x0, event=0xbfbff698) at rules.c:3692
> #5 0x80581c9 in CallAlertFuncs (p=0x0,
> message=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847
> after 0 alerts (of 3)", head=0x0, event=0xbfbff698) at rules.c:3664
> #6 0x806e01e in set_new_threshold (t=-0.084715272538630704)
> at spp_anomsensor.c:1771
> #7 0x806c4b6 in PreprocSpadeAdapt2 (p=0xbfbff7c0) at
> spp_anomsensor.c:1039
> ---Type <return> to continue, or q <return> to quit---
> #8 0x8058073 in Preprocess (p=0xbfbff7c0) at rules.c:3558
> #9 0x804bf79 in ProcessPacket (user=0x0, pkthdr=0x8147000,
> pkt=0x8147012 "ÿÿÿÿÿÿ") at snort.c:545
> #10 0x280deac1 in pcap_read () from /usr/lib/libpcap.so.2
> #11 0x280de6f3 in pcap_loop () from /usr/lib/libpcap.so.2
> #12 0x804d622 in InterfaceThread (arg=0x0) at snort.c:1674
> #13 0x804be5d in main (argc=10, argv=0xbfbffd78) at snort.c:475
> (gdb)
>
>
> I'm using the example from his snort.conf that was distributed with the
> patch, so I figure this might have been something that just managed to
> slipped through testing.
>
> Thanks,
> Rob
>
More information about the Snort-devel
mailing list