[Snort-devel] Result of debugger within "segmentation fault on Spade-030125.1 over Snort 2.0.0 issue"

KFC chong238803 at ...398...
Mon Apr 21 07:22:28 EDT 2003

Dear All,
      I just rebuild snort 2.0 with spade(laster
version). After run snort with this command 
#./snort -i eth0 -c ./rules/snort.conf -u snort -g
snort -b -l /var/snort_log_storage/ 

Segmentation fault was occured(about 2-3 secounds
after run above command).... But when I don't
put "include spade.conf" into snort.conf, it work!!

////////Detail about my system ////////
* System Architecture: i386 Pentium III 500 MHz.
* Operating System: RedHat 7.2 with linux-2.4.7-10 
* Version of Snort: snort-2.0.0 with Spade-030125.1 
* What rules (if any) you were using: use example
snort.conf from
/untar-snort-source-path/etc/snort.conf with "include
spade.conf" option line

//////End of detail of my system //////

//////////////Start of result from gdb ////////////
# gdb ./snort
GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are
welcome to change it and/or distribute copies of it
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show
warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) run -i eth0 -c ./rules/snort.conf -u snort -g
snort -b -l /var/snort_log_storage/
Starting program: /usr/local/snort/./snort -i eth0 -c
./rules/snort.conf -u snort -g snort -b -l
Running in IDS mode
Log directory = /var/snort_log_storage/

Initializing Network Interface eth0
OpenPcap() device eth0 network lookup:
        eth0: no IPv4 address assigned

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./rules/snort.conf

Initializing rule chains...
Spade is enabled
    Spade state initialized to what is in
    Spade will record its state to
/var/snort_log_storage/spade/spade.rcv after every
50000 updates
    Spade's log is
    Spade reports will go to the alert facility
    Spade homenet set to: x.x.x.x/x
    detector 1 enabled with: type=closed-dport
tcpflags=synonly wait=3
    detector 2 enabled with: type=closed-dport
tcpflags=weird thresh=0.5
    detector 3 enabled with: type=closed-dport
proto=udp wait=7
    detector 4 enabled with: type=dead-dest
tcpflags=weird wait=2
    detector 5 enabled with: type=dead-dest
tcpflags=synack wait=2
    detector 6 enabled with: type=dead-dest
tcpflags=established wait=5
    detector 7 enabled with: type=dead-dest
tcpflags=teardown wait=2
    detector 8 enabled with: type=dead-dest proto=udp
    detector 9 enabled with: type=dead-dest proto=icmp
icmptype=noterr wait=2
    detector 10 enabled with: type=odd-dport proto=tcp
    detector 11 enabled with: type=odd-dport proto=udp
    detector 12 enabled with: type=odd-typecode
    detector 13 enabled with: type=odd-typecode
    detector 14 enabled with: type=odd-port-dest
proto=tcp Xdports=53
    detector 15 enabled with: type=odd-port-dest
proto=udp Xdports=53
    detector 16 enabled with: type=odd-port-dest
proto=tcp Xdports=25
"from" setting 203.185 not valid, using home
: ./rules/spade.conf(88)
    detector spoof_ofHAN_toGITS enabled with:
type=odd-port-dest id=spoof_ofHAN_toGITS from=x.x.x.x
proto=tcp Xdports=25
    detector 18 enabled with: type=odd-port-dest
proto=tcp Xdports=110
    detector 19 enabled with: type=odd-port-dest
proto=tcp Xdports=995
    detector 20 enabled with: type=odd-port-dest
proto=tcp Xdports=143
    detector 21 enabled with: type=odd-port-dest
proto=tcp Xdports=220
    detector 22 enabled with: type=odd-port-dest
proto=udp Xdports=110
    detector 23 enabled with: type=odd-port-dest
proto=udp Xdports=995
    detector 24 enabled with: type=odd-port-dest
proto=udp Xdports=143
    detector 25 enabled with: type=odd-port-dest
proto=udp Xdports=220
    detector spoof_from_clock_tcp enabled with:
type=odd-port-dest id=spoof_from_clock_tcp proto=tcp
    detector spoof_from_clock_upd enabled with:
type=odd-port-dest id=spoof_from_clock_upd proto=udp
    detector 28 enabled with: type=odd-port-dest
from=nothome proto=tcp Xdports=80
"from" setting 164.115 not valid, using home
: ./rules/spade.conf(110)
    detector spoof_from_mailcleaner enabled with:
type=odd-port-dest id=spoof_from_mailcleaner
from=x.x.x.x proto=tcp Xdports=25
    detector 30 enabled with: type=odd-port-dest
from=nothome proto=tcp Xdports=25
    Spade survey mode inited for 30:
    Spade will report certain observation statistics
to its log file: entropy uncondprob condprob
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
18 19 20 ...
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = myhost.ids.foo:eth0
database:     sensor id = 1
database: schema version = 106
database: using the "alert" facility
1689 Snort rules read...
1689 Option Chains linked into 220 Chain Headers
0 Dynamic rules

Rule application order:

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.0 (Build 72)
By Martin Roesch (roesch at ...402...,

Program received signal SIGSEGV, Segmentation fault.
0x40019d1b in log () at eval.c:41
41      eval.c: No such file or directory.
        in eval.c

//////////////////End of Result from gdb/////////////

PS. I hide my IPs on gdb result with "x.x.x.x".

   If you want more information mail to me, I will
prepare it for you, as fast as I can.

Thank you

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo

More information about the Snort-devel mailing list