[Snort-devel] Snrt 2.8.0 + Stream5 + IDSwakeup = segmentation fault

Todd Wease twease at ...402...
Mon Oct 22 18:49:48 EDT 2007


Hello Praseeth.  Thanks for the report.  We haven't been able to
reproduce this yet and would like to get some more information from you.

(1) How did you acquire Snort? Snort website? CVS?
(2) Did you use an rpm or did you compile from source?
(3) If you compiled from source, what options did you give to configure?
(4) Also if compiled from source, did you use the --enable-debug flag
when configuring.  If not, can you do so and send us another gdb
backtrace of the segfault?
(5) Did you upgrade a previous Snort installation?
(6) Can you please post your snort.conf?
(7) What rules are you using?  Downloaded from snort website?  Any
bleeding-rules or custom rules?
(8) What was the Snort command line you were using?
(9) What was the command line used for IDSwakeup that caused the segfault?

Any and all of the above information could prove to be very helpful in
diagnosing the problem.

Thanks,
Todd


Praseeth Sreedharan wrote:
> Using Snort 2.8.0 on linux and get a segmentation fault while running
> IDSwakeup. Ran under gdb and the output is below. 
> 
> All rules, configuration are default - no changes from the Snort release. Not sure which test caused the crash but seems to be dealing with SMTP. Also the lino does not seem to match in snort_smtp.c file. 
> 
> 
> 
> Linux Version ================>
> 
> 
> 
> Linux mcp-2 2.6.12-1.1381_FC3smp #1 SMP Fri Oct 21 04:03:26 EDT 2005 i686 i686 i386 GNU/Linux
> 				
> 
> 
> GDB output ================>
> 
> Program received signal SIGSEGV, Segmentation fault.
> 
> 
> 0x68233469 in ?? ()
> 
> 
> (gdb)
> 
> 
> (gdb) bt
> 
> 
> #0  0x68233469 in ?? ()
> 
> 
> #1  0x003b8dc8 in SnortSMTP (p=0x100de85 at snort_smtp.c:275
> 
> 
> #2  0x0809e9ca in TcpSessionCleanup (lwssn=0x100ad0e0)
> 
> 
>     at snort_stream5_tcp.c:3605
> 
> 
> #3  0x080a42d2 in ProcessTcp (lwssn=0x100ad0e0, p=0xbfcafd90, tdb=0xbfcafcc0,
> 
> 
>     s5TcpPolicy=0xb741e00 at snort_stream5_tcp.c:6219
> 
> 
> #4  0x080a5a4e in Stream5ProcessTcp (p=0xbfcafd90) at snort_stream5_tcp.c:3840
> 
> 
> #5  0x08062335 in Preprocess (p=0xbfcafd90) at detect.c:174
> 
> 
> #6  0x0805adef in ProcessPacket (user=0x0, pkthdr=0xbfcb0180,
> 
> 
>     pkt=0xd54ef2a "", ft=0x0) at snort.c:1991
> 
> 
> #7  0x0805d812 in PcapProcessPacket (user=0x0, pkthdr=0xbfcb0180,
> 
> 
>     pkt=0xd54ef2a "") at snort.c:1373
> 
> 
> #8  0x0026a4ae in ?? () from /usr/lib/libpcap.so.0.8.3
> 
> 
> #9  0x00000000 in ?? ()
> 
> 
> (gdb)
> 
> 
> 
> 
> 
> 
> ==================IDSwakeup Log 
> 
> 
>   sending : smtp_bestof ...
> 
> 
>             105.52.35.77 -> 105.52.35.104 25/tcp  rcpt to: bouncebounce
> 
> 
>             105.52.35.77 -> 105.52.35.104 25/tcp  expn root
> 
> 
>             105.52.35.77 -> 105.52.35.104 25/tcp  expn decode
> 
> 
>             105.52.35.77 -> 105.52.35.104 25/tcp  debug
> 
> 
>             105.52.35.77 -> 105.52.35.104 25/tcp  vrfy smtp
> 
> 
>             105.52.35.77 -> 105.52.35.104 25/tcp  mail from: |
> 
> 
>             105.52.35.77 -> 105.52.35.104 25/tcp  rcpt to: |
> 
> 
>   sending : misc_bestof ...
> 
> 
>             105.52.35.77 -> 105.52.35.104 161/udp  public
> 
> 
>             105.52.35.77 -> 105.52.35.104 161/udp  private
> 
> 
>             105.52.35.77 -> 105.52.35.104 161/udp  all private
> 
> 
>             105.52.35.77 -> 105.52.35.104 162/udp  trap trap trap ...
> 
> 
>             105.52.35.77 -> 105.52.35.104 5631/tcp  ADMINISTRATOR
> 
> 
>             105.52.35.77 -> 105.52.35.104 32771/tcp -S
> 
> 
>             105.52.35.77 -> 105.52.35.104 6699/tcp  .mp3
> 
> 
>             105.52.35.77 -> 105.52.35.104 8888/tcp  .mp3
> 
> 
> 
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 





More information about the Snort-devel mailing list