[Snort-devel] build 55

Phil Wood cpw at ...117...
Tue Mar 4 17:05:14 EST 2003

Hello again,

Looks like it happens with build 55 too.

Rule is (in case it got lost):

redalert udp any any -> 1236 (msg: "Test Page System"; content: "excuse me"; classtype: testing; sid:40002; rev:1;)

Initializing Output Plugins!
Running in IDS mode
Log directory = /data/pw/log/acid

Initializing Network Interface eth2
OpenPcap() device eth2 network lookup: 
        eth2: no IPv4 address assigned
libpcap version: 0.8
Kernel filter, Protocol 0300, MMAP mode (32768 frames, snapshot 1514), socket ty
pe: Raw

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Checking PID path...
PID path stat checked out ok, PID path set to /var/run/
Writing PID "26963" to file "/var/run//snort_eth2-aa.pid"
Decoding Ethernet on interface eth2
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /data/pw/scripts/aa.conf

Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433 
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
database: compiled support for ( mysql )
database: configured to use mysql
database: database name = arpanet
database:          port = 3306
database:          user = arpanet
database: password is set
database:   sensor name = aa
database:          host = cynosure.lanl.gov
database:     sensor id = 2
database: schema version = 106
database: using the "alert" facility
Commandline option overiding rule file config
1 Snort rules read...
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules

Rule application order: ->pass->activation->dynamic->alert->log->redalert

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.0beta (Build 55)
By Martin Roesch (roesch at ...402..., www.snort.org)
S:1046825909.931371 422 0 422 0 87063 68595746 170770 0 511 5 0 000000010.045761
S:1046825919.977132 322 0 322 0 85984 68536646 131171 0 833 4 0 000000010.074157
/data/pw/dowatch: line 20: 26963 Segmentation fault 

# gdb xaa20030304.1758 caa20030304.1758
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...

warning: core file may not match specified executable file.
Core was generated by `snort -S INSTANCE=aa20030304.1758 -S LOGDIR=/data/pw/log/acid -S IDS_BASE=/data'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libpcap-0.6.2.so...done.
Loaded symbols for /usr/lib/libpcap-0.6.2.so
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /usr/local/lib/libmysqlclient.so.9...done.
Loaded symbols for /usr/local/lib/libmysqlclient.so.9
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
---Type <return> to continue, or q <return> to quit---
#0  otnx_match (id=136896112, index=0, data=0x8125054) at fpdetect.c:335
335         pmi->MatchArray[ pmi->iMatchCount ] = otnx;
(gdb) where
#0  otnx_match (id=136896112, index=0, data=0x8125054) at fpdetect.c:335
#1  0x806946f in mwmSearch (pv=0x82954c8, T=0x4043b06c "excuse me\n", n=10, 
    match=0x805fd9c <otnx_match>, data=0x8125054) at mwm.c:1390
#2  0x806331e in fpEvalPacket (p=0xbfffedc0) at fpdetect.c:943
#3  0x805c848 in Detect (p=0xbfffedc0) at detect.c:284
#4  0x805d33f in Preprocess (p=0xbfffedc0) at detect.c:104
#5  0x8057780 in ProcessPacket (user=0x0, pkthdr=0xbffff2d0, pkt=0x4043b042 "")
    at snort.c:613
#6  0x4004751c in pcap_ring_recv (p=0x8266b90, cnt=-1, 
    callback=0x8057678 <ProcessPacket>, user=0x0) at pcap-ring.c:354
#7  0x4003a587 in pcap_read (handle=0x8266b90, max_packets=-1, 
    callback=0x8057678 <ProcessPacket>, user=0x0) at pcap-linux.c:573
#8  0x4003c505 in pcap_loop (p=0x8266b90, cnt=-1, 
    callback=0x8057678 <ProcessPacket>, user=0x0) at pcap.c:87
#9  0x8058931 in InterfaceThread (arg=0x0) at snort.c:1552
#10 0x8057668 in SnortMain (argc=19, argv=0xbffff4d4) at snort.c:552
#11 0x400d7b65 in __libc_start_main (main=0x8059110 <main>, argc=19, 
    ubp_av=0xbffff4d4, init=0x804b5a0 <_init>, fini=0x80f5bec <_fini>, 
    rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffff4cc)
    at ../sysdeps/generic/libc-start.c:111
(gdb) print *pmi
$1 = {MatchArray = {0x356d0a0d, 0x487a3776, 0x4737714a, 0x44535a6f, 
    0x7343557a, 0x71306e44, 0x6e794378, 0x6c2b496a, 0x6e5a734a, 0x48724358, 
    0x44694f63, 0x48485841, 0x67705a34, 0x50775279, 0x4f787179, 0x6d4e3950, 
    0x72384d79, 0x362b506a, 0x5966564b, 0xa0d5855, 0x4e536a41, 0x626b5479, 
    0x4d316366, 0x56484973, 0x49586169, 0x67625a55, 0x46347065, 0x32665052, 
    0x6c426638, 0x51526679, 0x4f755354, 0x46565a78, 0x554d6f58, 0x5357762f, 
    0x56655864, 0x6e745773, 0x5666494a, 0x43356e75, 0x7150796d, 0x72720a0d, 
    0x686c6d75, 0x2f7a3473, 0x2f4c5965, 0x70686d50, 0x6a755139, 0x45686359, 
    0x6f517333, 0x424f5739, 0x56584f56, 0x63464f37, 0x62484d4e, 0x4e45372b, 
    0x4b393633, 0x30583577, 0x39424a78, 0x534b3172, 0x38506b34, 0x4a4a594d, 
    0xa0d452f, 0x722b4731, 0x45726c57, 0x54624c5a, 0x2f587444, 0x58614a41, 
    0x7a78494a, 0x46464836, 0x62336772, 0x5a36762b, 0x45727471, 0x6c387874, 
    0x6a6c5a70, 0x506e4c32, 0x656b4336, 0x594a5648, 0x364d3338, 0x6f587332, 
    0x664d697a, 0x642b7a70, 0x73590a0d, 0x6b587675, 0x314a5273, 0x49743347, 
    0x68646663, 0x39444d47, 0x6d313550, 0x4d576474, 0x7a333238, 0x55327270, 
    0x554b2b6e, 0x46412f4c, 0x70316679, 0x71316661, 0x6b623246, 0x576a6d6b, 
    0x46587a58, 0x447a302b, 0x34564971, 0xa0d4d2f, 0x714c4831, 0x4a30636b}, 
  iMatchCount = 1248097130, iMatchIndex = 1211326818, 
  iMatchMaxLen = 1735086957}

Phil Wood, cpw at ...86...

More information about the Snort-devel mailing list