[Snort-devel] Version 2.0.0beta (Build 57)

Phil Wood cpw at ...117...
Wed Mar 5 12:53:03 EST 2003


I tried:

  snort -r phil.cap -c redalert.conf

Worked great.

I tried live capture and got a core dump.  Just one rule:

redalert udp any any -> 192.16.1.241 1236 (msg: "Test Page System"; content: "excuse me"; classtype: testing; sid:40002; rev:1;)

However, the conf file is complex.  I'll start primitive and work my way up.

Attachment is the latest core.

On Wed, Mar 05, 2003 at 09:28:26AM -0500, Chris Green wrote:
> Ok We're at Build 57 and this takes care of checking where we're
> looking that was causing it to fail on test cases.
> 
> Short note is:
> 
> Here's packet catpure and snort.conf to test with
> 



> 
> -- 
> Chris Green <cmg at ...402...>
> "Yeah, but you're taking the universe out of context."
> 
> PS:
> PS
> 
> Direct replies to you were failing last night with
> 
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
> 
>   pipe to |IFS=' ' && p=/usr/bin/procmail && test -f $p && exec $p -Yf- || exit 75
>     generated by cpw at ...117...
>     "IFS='" command not found for address_pipe transport


-- 
Phil Wood, cpw at ...86...

-------------- next part --------------
# ./xaa* -V
Initializing Output Plugins!

-*> Snort! <*-
Version 2.0.0beta (Build 57)
By Martin Roesch (roesch at ...402..., www.snort.org)
[root at ...1844... acid]# gdb xaa20030305.1325 caa20030305.1325
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...

warning: core file may not match specified executable file.
Core was generated by `snort -S INSTANCE=aa20030305.1325 -S LOGDIR=/data/pw/log/acid -S IDS_BASE=/data'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libpcap-0.6.2.so...done.
Loaded symbols for /usr/lib/libpcap-0.6.2.so
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /usr/local/lib/libmysqlclient.so.9...done.
Loaded symbols for /usr/local/lib/libmysqlclient.so.9
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
---Type <return> to continue, or q <return> to quit--- 
#0  otnx_match (id=136895920, index=0, data=0x8124f94) at fpdetect.c:335
335         pmi->MatchArray[ pmi->iMatchCount ] = otnx;
(gdb) list
330         }
331
332         /*
333         **  Add the event to the appropriate list
334         */
335         pmi->MatchArray[ pmi->iMatchCount ] = otnx;
336
337         /*
338         **  This means that we are adding a NC rule
339         **  and we only set the index to this rule
(gdb) print *pmi
$1 = {MatchArray = {0x0, 0x0, 0x8083ae0, 0x0, 0x0, 0x829828c, 0x3e665d61, 
    0x3e665d61, 0x1, 0x80, 0x0, 0xa9, 0x829da08, 0x82980e8, 0x8299b80, 0x100, 
    0xd9880c40, 0x20019, 0x0, 0x0, 0x0, 0x0, 0x16d0, 0x0, 0x1, 0xb, 0x0, 
    0x8083ae0, 0x0, 0x0, 0x82982f0, 0x3515a580, 0x48215, 0xec18a3da, 
    0xec18a3da, 0x0, 0xec18a3db, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8083ae0, 0x0, 0x0, 
    0x829832c, 0x3e665d63, 0x3e665d63, 0x3, 0xbd, 0x0, 0x0, 0x0, 0xa1, 0x0, 
    0x829c2f0, 0x828a760, 0x100, 0x800a580, 0x40019, 0xeb10e88c, 0xeb10eb37, 
    0xeb10e88d, 0xeb10eb4e, 0xf82f, 0x0, 0x15, 0x2c1, 0x0, 0x8083ae0, 0x0, 
    0x0, 0x8298398, 0xae395bd8, 0x4473d, 0x413276ee, 0x41328528, 0x41328522, 
    0x41328528, 0x3354, 0x41328522, 0x11, 0xe39, 0x829a028, 0x8083ae0, 0x1, 
    0x0, 0x82983d4, 0x3e665d4d, 0x3e665d54, 0x7, 0x73c9, 0x0, 0x41, 0x8298440, 
    0x0, 0x0, 0x101, 0x829cf80, 0x829cfc2}, iMatchCount = 1046895962, 
  iMatchIndex = 377665, iMatchMaxLen = 174}
(gdb) quit



More information about the Snort-devel mailing list