[Snort-devel] snort segmentation fault

Russ Combs rcombs at ...402...
Wed Mar 4 09:33:33 EST 2009


Please send your lua and snort.conf files and I'll see if I can recreate it
here.

Thanks
Russ

On Wed, Mar 4, 2009 at 6:47 AM, Paweł Pogoda <ppogoda at ...2499...> wrote:

> Hello I have a problem with snortsp
>
> General:
> Snort crashes when I scan him itself from another machine. I make a
> standard nmap scan: nmap -v -A host_ip
> when nmap is scaning open services,  snort crashes with segmentation fault
> error:
>
>
> Details:
> Linux ids 2.6.27.7-smp #2 SMP Thu Nov 20 22:32:43 CST 2008 i686 Intel(R)
> Pentium(R) 4 CPU 3.00GHz GenuineIntel GNU/Linux
> PREPROCESORS:
> preprocessor stream5_global: max_tcp 8192 track_tcp yes, track_udp yes
> preprocessor stream5_tcp: policy windows, detect_anomalies
> preprocessor stream5_udp:
> preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
> 10000
> preprocessor ssh:server_ports { 22 } max_client_bytes 19600
> max_encrypted_packets 20 disable_protomismatch disable_paysize
> preprocessor dcerpc: ports smb { 139 445 } ports dcerpc { 135 }
> max_frag_size 3000 memcap 100000 alert_memcap
> preprocessor frag3: detect_anomalies
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default profile all ports { 80
> 8080 8180 } oversize_dir_length 500
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
> stateful
> preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
> preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100
> alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity
> MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS
> RNFR RNTO SITE MKD } telnet_cmds yes data_chan
> preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256
> bounce yes telnet_cmds yes
> preprocessor smtp: ports { 25 587 691 } inspection_type stateful normalize
> cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL }
> alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP
> HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
> preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level {
> low }
> preprocessor dns: ports { 53 } enable_rdata_overflow
> preprocessor ssl: noinspect_encrypted
> OUTPUTS:
> output unified2: filename snort.log, limit 512, nostamp
>
> It is no diffrence how I start snortsp
>
> ERROR MESSAGES from messagges
>
> Mar  4 10:05:08 darkstar in.identd[7050]: reply to 10.64.1.88: 0 , 0 :
> ERROR: UNKNOWN-ERROR
> Mar  4 10:05:08 darkstar sshd[7051]: Did not receive identification string
> from 10.64.1.88
> Mar  4 10:05:08 darkstar kernel: snortsp[7021]: segfault at 60 ip b743ee5a
> sp aecfca50 error 4 in snort.so.0.0.0[b7419000+c3000]
>
> Best regards
> Pawel Pogoda
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20090304/c0f08e5d/attachment.html>


More information about the Snort-devel mailing list