[Snort-devel] random crashes in snort-current

Martin Roesch roesch at ...402...
Sat Jan 4 21:32:01 EST 2003


We need a backtrace and some other information to be of use here, 
please check out the BUGS file and respond with the relevant 
information.

     -Marty

On Wednesday, December 18, 2002, at 12:38 PM, Nathan W. Labadie wrote:

> I've been getting random crashes in snort-current. It's difficult to 
> run
> snort with --enable-debug because of the amount of traffic it monitors
> (uses 99% of the CPU). I don't know if this will help, but running 
> snort
> in gdb gave me the following:
>
> ---snip---
> security snort # gdb /usr/bin/snort
> GNU gdb 5.2.1
> (gdb) run -d -o -i eth1 -c /etc/snort/snort.conf -k none
> Starting program: /usr/bin/snort -d -o -i eth1 -c 
> /etc/snort/snort.conf -k none
> Initializing Output Plugins!
> Running in IDS mode
> Log directory = /var/log/snort
>
> Initializing Network Interface eth1
>
>         --== Initializing Snort ==--
> Rule application order changed to Pass->Alert->Log
> Decoding Ethernet on interface eth1
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> [*] Frag2 config:
>     Fragment timeout: 30 seconds
>     Fragment memory cap: 16777216 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 0
>     Fragment Problems: 0
>     State Protection: 0
>     Self preservation threshold: 500
>     Self preservation period: 90
>     Suspend threshold: 1000
>     Suspend period: 30
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 10 seconds
>     Session memory cap: 25165824 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: INACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 0
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 500
>     Self preservation period: 90
>     Suspend threshold: 1000
>     Suspend period: 30
> Stream4_reassemble config:
>     Server reassembly: ACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: INACTIVE
>     Ports: 21 23 25 53 80 110 111 143 513 1433
>     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> http_decode arguments:
>     Unicode decoding
>     IIS alternate Unicode decoding
>     IIS double encoding vuln
>     Flip backslash to slash
>     Include additional whitespace separators
>     Ports to decode http on: 80
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32772
> telnet_decode arguments:
>     Ports to decode telnet on: 21 23 25 119
> Opening /var/log/snort/snort-unified.log.1040228308
> 337 Snort rules read...
> 337 Option Chains linked into 73 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Rule application order: ->pass->activation->dynamic->alert->log
>
>         --== Initialization Complete ==--
>
> -*> Snort! <*-
> Version 2.0.0beta (Build 44)
> By Martin Roesch (roesch at ...402..., www.snort.org)
> ICMP Unreachable IP short header (1 bytes)
> ICMP Unreachable IP short header (1 bytes)
> ICMP Unreachable IP short header (1 bytes)
> ICMP Unreachable IP short header (1 bytes)
> ICMP Unreachable IP short header (1 bytes)
> ICMP Unreachable IP short header (1 bytes)
> ICMP Unreachable IP short header (1 bytes)
> ICMP Unreachable IP short header (1 bytes)
> ICMP Unreachable IP short header (1 bytes)
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x402cb78c in main_arena () from /lib/libc.so.6
> ---snip---
>
> NOTE: I'm not on the list, please include me in the reply.
>
> Thanks,
> Nate
>
> -- 
> Nathan W. Labadie       | ab0781 at ...839...	
> Sr. Security Specialist | 313-577-2126
> Wayne State University  | 313-577-1338 fax
> C&IT Information Security Office: http://security.wayne.edu
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: Geek Gift Procrastinating?
> Get the perfect geek gift now!  Before the Holidays pass you by.
> T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list