[Snort-devel] snort-2.0.0 OpenBSD-3.3/alpha bug report

Jarkko Turkulainen jt at ...2042...
Tue Jun 17 05:46:18 EDT 2003


System: OpenBSD-3.3/alpha
Snort: version 2.0.0, stock configuration file + plugins
Symptoms: core dump after the first packet (only in IDS mode)


Command line:

# /home/jt/work/snort-2.0.0/src/snort -i de0 -l /tmp/snort \
	-c /home/jt/work/snort-2.0.0/etc/snort.conf

Running in IDS mode
Log directory = /tmp/snort/

Initializing Network Interface de0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface de0
Initializing Preprocessors!
Initializing Plug-ins!
Plugin: TcpWinCheckInit Initialized
-------------------------------------------------
 Keyword     |       Preprocessor @
-------------------------------------------------
http_decode  :       0x120067dc0
http_decode_ignore:       0x120068200
portscan     :       0x12006c720
portscan-ignorehosts:       0x12006da80
rpc_decode   :       0x12006e660
bo           :       0x1200630a0
telnet_decode:       0x12007e940
stream4      :       0x1200716e0
stream4_reassemble:       0x120072a60
frag2        :       0x1200647e0
arpspoof     :       0x120062a80
arpspoof_detect_host:       0x120062ce0
conversation :       0x120081220
portscan2    :       0x1200861e0
portscan2-ignorehosts:       0x120083be0
portscan2-ignoreports-from:       0x1200843a0
portscan2-ignoreports-to:       0x120084400
HttpFlow     :       0x12007f340
PerfMonitor  :       0x12007fd00
-------------------------------------------------

-------------------------------------------------
 Keyword     |      Plugin Registered @
-------------------------------------------------
content      :      0x120057e00
content-list :      0x120057c80
offset       :      0x120058000
depth        :      0x120058220
nocase       :      0x120058400
rawbytes     :      0x120058560
regex        :      0x120058a60
uricontent   :      0x120057f00
distance     :      0x120058620
within       :      0x120058840
flags        :      0x12005c940
itype        :      0x120053cc0
icode        :      0x120052da0
ttl          :      0x12005e140
id           :      0x120055480
ack          :      0x12005c580
seq          :      0x12005d780
dsize        :      0x120052400
ipopts       :      0x1200569c0
rpc          :      0x12005a9c0
icmp_id      :      0x1200532c0
icmp_seq     :      0x1200537c0
session      :      0x12005b760
tos          :      0x120056420
fragbits     :      0x120054220
fragoffset   :      0x120054c60
window       :      0x12005db20
ip_proto     :      0x1200558c0
sameip       :      0x120055fe0
flow         :      0x12005ec60
byte_test    :      0x12005fa80
byte_jump    :      0x120060e20
-------------------------------------------------

-------------------------------------------------
 Keyword     |          Output @
-------------------------------------------------
alert_syslog :       0x120046b60
log_tcpdump  :       0x12004e560
database     :       0x1200499c0
alert_fast   :       0x120045740
alert_full   :       0x120046260
alert_unixsock:       0x120047b60
alert_CSV    :       0x1200482a0
log_null     :       0x12004e360
log_unified  :       0x120050aa0
alert_unified:       0x120050640
unified      :       0x12004f020
log_ascii    :       0x120051400
-------------------------------------------------

Parsing Rules file /home/jt/work/snort-2.0.0/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
1331 Snort rules read...
1331 Option Chains linked into 139 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.0 (Build 72)
By Martin Roesch (roesch at ...402..., www.snort.org)
Memory fault (core dumped)






Debugger output:

(gdb) bt
#0  0x12003a484 in otnx_match (id=574625392, index=3, data=0x12010faa0)
    at fpdetect.c:607
#1  0x12003dd08 in mwmSearchExBC (ps=0x1223fd000, Tx=0x12010fbc8 "Þ\t\001",
    n=32, Tc=0x1202661bc "Þ\t\001", match=0x12003a440 <otnx_match>,
    data=0x12010faa0) at mwm.c:1070
#2  0x12003ec48 in mwmSearch (pv=0x1223fd000, T=0x1202661bc "Þ\t\001", n=32,
    match=0x12003a440 <otnx_match>, data=0x12010faa0) at mwm.c:1402
#3  0x12003fa4c in mpseSearch (pv=0x122400d80, T=0x1202661bc "Þ\t\001", n=32,
    action=0x12003a440 <otnx_match>, data=0x12010faa0) at mpse.c:219
#4  0x12003acc0 in fpEvalHeaderSW (port_group=0x120c12700, p=0x1ffffebc0,
    check_ports=1) at fpdetect.c:943
#5  0x12003af74 in fpEvalHeaderUdp (p=0x1ffffebc0) at fpdetect.c:1072
#6  0x12003b4b4 in fpEvalPacket (p=0x1ffffebc0) at fpdetect.c:1302
#7  0x1200313d0 in Detect (p=0x1ffffebc0) at detect.c:283
#8  0x120030dc0 in Preprocess (p=0x1ffffebc0) at detect.c:104
#9  0x1200257bc in ProcessPacket (user=0x0, pkthdr=0x120266178,
    pkt=0x120266192 "") at snort.c:595



Best regards,

--
Jarkko Turkulainen <jt at ...2042...>





More information about the Snort-devel mailing list