[Snort-devel] Version 2.0.0beta (Build 54)

Phil Wood cpw at ...117...
Tue Mar 4 16:40:18 EST 2003

Chris and the rest of you guys,

I'm not quite current with 2.0:

  Version 2.0.0beta (Build 54)

I see you are at BUILD 55 now.  Possibly the core I got will go away when
I get around to building the new snort.

Anyway, I got my first core dump in quite a while.  The rule set I'm using
is pretty sparse and the first rule is probably pretty lame:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "SMTP: Static Buffer Overflow"; flow: to_server,established; content: "To: "; content:!"|0a|"; within:250; classtype: attempted-admin ; sid:40011;  rev:1;) 

redalert udp any any -> 1236 (msg: "Test Page System"; content: "excuse me"; classtype: testing; sid:40002; rev:1;)

The second redalert is the one that snort core dumped on.  I use redalert's 
like this to generate a syslog entry which I monitor and send pages about.

Here is the initial gdb:

#0  otnx_match (id=136349264, index=0, data=0x80a2814) at fpdetect.c:335
335         pmi->MatchArray[ pmi->iMatchCount ] = otnx;
(gdb) where
#0  otnx_match (id=136349264, index=0, data=0x80a2814) at fpdetect.c:335
#1  0x806819f in mwmSearch (pv=0x820fca8, 
    T=0x417b606c "excuse me\n?\e?>?\200\001\0064", n=10, 
    match=0x805eacc <otnx_match>, data=0x80a2814) at mwm.c:1390
#2  0x806204e in fpEvalPacket (p=0xbfffedc0) at fpdetect.c:943
#3  0x805b578 in Detect (p=0xbfffedc0) at detect.c:284
#4  0x805c06f in Preprocess (p=0xbfffedc0) at detect.c:104
#5  0x80564b0 in ProcessPacket (user=0x0, pkthdr=0xbffff2d0, pkt=0x417b6042 "")
    at snort.c:613
#6  0x4004751c in pcap_ring_recv (p=0x81e1370, cnt=-1, 
    callback=0x80563a8 <ProcessPacket>, user=0x0) at pcap-ring.c:354
#7  0x4003a587 in pcap_read (handle=0x81e1370, max_packets=-1, 
    callback=0x80563a8 <ProcessPacket>, user=0x0) at pcap-linux.c:573
#8  0x4003c505 in pcap_loop (p=0x81e1370, cnt=-1, 
    callback=0x80563a8 <ProcessPacket>, user=0x0) at pcap.c:87
#9  0x8057661 in InterfaceThread (arg=0x0) at snort.c:1552
#10 0x8056398 in SnortMain (argc=19, argv=0xbffff4d4) at snort.c:552
#11 0x401bdb65 in __libc_start_main (main=0x8057e40 <main>, argc=19, 
    ubp_av=0xbffff4d4, init=0x804a168 <_init>, fini=0x808920c <_fini>, 
    rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffff4cc)
    at ../sysdeps/generic/libc-start.c:111
(gdb) list
330         }
332         /*
333         **  Add the event to the appropriate list
334         */
335         pmi->MatchArray[ pmi->iMatchCount ] = otnx;
337         /*
338         **  This means that we are adding a NC rule
339         **  and we only set the index to this rule
(gdb) print *pmi
$1 = {MatchArray = {0x0, 0x0, 0x0, 0x101, 0x82159e8, 0x8215a2a, 0x3e6542d3, 
    0xe9a55, 0x5ea, 0x5ea, 0x22d62cdc, 0x5ea05a8, 0x6879, 0x1, 0x0, 0x39, 
    0x402bfce8, 0x402bfce8, 0x0, 0x0, 0x80828b0, 0x0, 0x0, 0x8210b6c, 
    0x3e654297, 0x3e654297, 0x3, 0xc9, 0x140, 0x40, 0x0, 0x8212178, 0x0, 
    0x100, 0x8211208, 0x821123e, 0x3e6542b0, 0x9aa88, 0x3c, 0x3c, 0x770328dc, 
    0x3c0006, 0x30b, 0x0, 0x0, 0x4f1, 0x82123d0, 0x402bff38, 0x82128a8, 0x101, 
    0x6704a580, 0x48184, 0x1ece98ba, 0x0, 0x1ece98bb, 0x1ece98bb, 0x8218, 0x0, 
    0x0, 0x0, 0x0, 0x80828b0, 0x0, 0x0, 0x8210c10, 0x1aeab78c, 0x40019, 
    0x51736526, 0x51736527, 0x51736527, 0x51736527, 0x0, 0x0, 0x1, 0x0, 0x0, 
    0x80828b0, 0x0, 0x0, 0x8210c4c, 0x3e654293, 0x3e654293, 0x105, 0x82, 0x0, 
    0x451, 0x402bff28, 0x8211240, 0x3eb89a69, 0x450008, 0xbbb5a03, 0x6360040, 
    0xce41ccdf, 0xa5804be4, 0x69970700, 0xf39d1900, 0xe1219046, 0x188046fb, 
    0x6c96d016, 0x1010000}, iMatchCount = -1389032952, 
  iMatchIndex = 123857925, iMatchMaxLen = 1684344478}
(gdb) quit

Phil Wood, cpw at ...86...

More information about the Snort-devel mailing list