[Snort-devel] Core on FBSD using new SNMP trap code + spade

Glenn Mansfield Keeni glenn at ...1085...
Sun Jun 16 19:48:01 EDT 2002


Rob,
    My slip. Sorry about that. Will upload a patch shortly.
(Before the end of the day....).

    Glenn

Rob Hughes wrote:

> I've tried sending email to Glenn a couple days ago, but haven't yet
> gotten a response. Using the new snmp trap code, Snort cores on each
> spade alert. It's very repeatable, as it happens on every spade alert.
> Below is a trace using gdb:
> 
> #gdb snort snort.core
> GNU gdb 4.18 (FreeBSD)
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-unknown-freebsd"...
> Core was generated by `snort'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/local/lib/libidmef.so.7...done.
> Reading symbols from /usr/lib/libcipher.so.2...done.
> Reading symbols from /usr/lib/libpcap.so.2...done.
> Reading symbols from /usr/lib/libm.so.2...done.
> Reading symbols from /usr/local/lib/libsnmp.so.4...done.
> Reading symbols from /usr/lib/libssl.so.2...done.
> Reading symbols from /usr/lib/libcrypto.so.2...done.
> Reading symbols from /usr/lib/libz.so.2...done.
> Reading symbols from /usr/local/lib/libxml2.so.6...done.
> Reading symbols from /usr/lib/libc.so.4...done.
> Reading symbols from /usr/libexec/ld-elf.so.1...done.
> #0  0x807ffdd in sendInform (p=0x0,
>     msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
> ---Type <return> to continue, or q <return> to quit---
>     at spo_SnmpTrap.c:1863
> 1863        if   (p->iph && SnmpData->pPrint)
> (gdb) bt
> #0  0x807ffdd in sendInform (p=0x0,
>     msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
>     at spo_SnmpTrap.c:1863
> #1  0x807ee35 in sendSNMPInform (p=0x0,
>     msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", AlertID=2, SnmpData=0x809dde0, event=0xbfbff698)
>     at spo_SnmpTrap.c:953
> #2  0x807ee6a in startIDWS (p=0x0,
>     msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", event=0xbfbff698) at spo_SnmpTrap.c:974
> #3  0x807ed53 in SpoSnmpTrap (p=0x0,
>     msg=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847 after
> 0 alerts (of 3)", arg=0x809dde0, event=0xbfbff698) at spo_SnmpTrap.c:853
> #4  0x8058231 in CallAlertPlugins (p=0x0,
>     message=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847
> after 0 alerts (of 3)", args=0x0, event=0xbfbff698) at rules.c:3692
> #5  0x80581c9 in CallAlertFuncs (p=0x0,
>     message=0xbfbff6bc "spp_anomsensor: Threshold adjusted to -0.0847
> after 0 alerts (of 3)", head=0x0, event=0xbfbff698) at rules.c:3664
> #6  0x806e01e in set_new_threshold (t=-0.084715272538630704)
>     at spp_anomsensor.c:1771
> #7  0x806c4b6 in PreprocSpadeAdapt2 (p=0xbfbff7c0) at
> spp_anomsensor.c:1039
> ---Type <return> to continue, or q <return> to quit---
> #8  0x8058073 in Preprocess (p=0xbfbff7c0) at rules.c:3558
> #9  0x804bf79 in ProcessPacket (user=0x0, pkthdr=0x8147000,
>     pkt=0x8147012 "ÿÿÿÿÿÿ") at snort.c:545
> #10 0x280deac1 in pcap_read () from /usr/lib/libpcap.so.2
> #11 0x280de6f3 in pcap_loop () from /usr/lib/libpcap.so.2
> #12 0x804d622 in InterfaceThread (arg=0x0) at snort.c:1674
> #13 0x804be5d in main (argc=10, argv=0xbfbffd78) at snort.c:475
> (gdb)
> 
> 
> I'm using the example from his snort.conf that was distributed with the
> patch, so I figure this might have been something that just managed to
> slipped through testing.
> 
> Thanks,
> Rob
> 







More information about the Snort-devel mailing list