[Snort-devel] segfault in stream5

snort user snort.user at ...2499...
Mon Oct 3 22:59:01 EDT 2011


Hi Brett,

Stream5GetApplicationData is called whenever an application needs to
retrieve any information that it saved/piggybacked onto the session
structure. You would see it in any of the preprocessors like dcerpc2
or smtp. I am assuming that you would have done a grep by now to
figure this out already.

More importantly, would it be possible to provide

1. a stack trace ?
2. the core file ?
3. can you replicate the issue and if so can you capture the related
pcap when the issue occur ?

These would be a great start to debug the issue and the list,
including me, would be able to help you out as well.


cheers





On Mon, Oct 3, 2011 at 10:46 PM, Brett Edgar <brett.edgar at ...2499...> wrote:
> I am getting segfaults in spp_stream5.c on line 1368 and it's
> happening on multiple systems that have completely disjoint network
> traffic.  Somehow, the ssn pointer being passed into stream5 is not
> NULL (otherwise the if(ssnptr) would prevent the crash) but also not
> valid (since I'm getting a segfault).
>
> The systems that are exhibiting the problem are Gentoo systems.  Some
> are x86 and some are amd64.  The stream5 configurations are very
> similar between the systems.  Here is the stream5 configuration on one
> of the systems:
>
> preprocessor stream5_global: track_tcp yes, \
>   track_udp yes, \
>   track_icmp no, \
>   max_tcp 262144, \
>   max_udp 131072
> preprocessor stream5_tcp: policy windows, require_3whs 180, \
>   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
>        161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666
> 6667 6668 6669 \
>        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
>    ports both 80 81 110 143 311 443 465 563 591 593 636 901 989 992
> 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907
> 7001 7145 7510 7802 7777 7779 \
>        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911
> 7912 7913 7914 7915 7916 \
>        7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123
> 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
> preprocessor stream5_udp: timeout 180
>
> That's very close, if not identical to, the snort.conf  in the VRT
> tarballs (except for the active response configuration statements in
> stream5_global that are not enabled because I didn't compile snort
> with that configuration option).
>
> I am a fairly competent C programmer, but I'm asking for suggestions
> on where to look in this mailing list since I am not familiar with the
> Snort code.  I'm hoping someone knows when Stream5GetApplicationData
> (the function that contains the segfault) gets called so I can narrow
> down my search more quickly...
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>




More information about the Snort-devel mailing list