[Snort-devel] Bus error on Suse/Sparc in stream4

Carsten Schmitz cschmitz at ...1762...
Mon Jan 6 16:25:02 EST 2003


Hi,

Hope this is the correct mailing list for my problem, maybe someone can
give me a hint? I don't think it's a bug though, I must be doing
something wrong.

I am running Snort 1.9 stable (compiled with mysql) on SuSe Linux 7.3
for Sparc (on a Sun Netra T1/105). Libpcap is version 0.4 (the one snort
advised me to download and build cause it was initially missing),
ruleset is the stable one from January 5.

Problem:
Snort starts fine, but it crashes with a bus error as soon as some
network activity happens (e.g. upon opening a browser and bringing up
the homepage on the machine where snort is running makes it crash
immediately). 100% reproducible.

Disabling stream4 and stream4_reassemble makes it work, so the problem
must be happening there.

Below I attach a run from within gdb.

Thanks a lot in advance,

Carsten



server:/ # gdb snort
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-suse-linux"...
(gdb) run
Starting program: /usr/local/bin/snort
Initializing Output Plugins!
Log directory = /var/log/snort

Initializing Network Interface eth0
using config file /etc/snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.1.10
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility
xml_plugin: Logging to /var/log/snortxml/snortxml
xml_plugin: Using the "log" facility
1693 Snort rules read...
1693 Option Chains linked into 208 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initializing Snort ==--
Decoding Ethernet on interface eth0

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.9.0 (Build 209)
By Martin Roesch (roesch at ...402..., www.snort.org)

Program received signal SIGBUS, Bus error.
0x3de40 in BuildPacket (s=0x15773c, stream_size=553, p=0xeffff070,
direction=0)
    at spp_stream4.c:3359
3359            stream_pkt->iph->ip_src.s_addr = p->iph->ip_dst.s_addr;
(gdb)







More information about the Snort-devel mailing list