[Snort-devel] Snort 2.9.7.0 enters into infinity loop getApplicationData

Hui Cao (huica) huica at ...3461...
Mon Nov 24 09:25:21 EST 2014


Hi Jul,

Thanks for reporting this. I will take  a look at this. Can you provide
the snort configuration you are using?

Best,
Hui.

On 11/24/14, 5:33 AM, "souber at ...3541..." <souber at ...3541...> wrote:

>
>below stack could be helpful
>
>(gdb) bt
>#0  getApplicationData (scbptr=0x7fffc4d81600, protocol=30) at
>spp_session.c:2741
>#1  0x00000000004e467d in get_file_session (ssnptr=<optimized out>) at
>file_service.c:237
>#2  get_main_file_context (ssnptr=<optimized out>) at file_service.c:253
>#3  get_file_processed_size (ssnptr=<optimized out>) at file_service.c:868
>#4  get_file_position (pkt=<optimized out>) at file_service.c:1028
>#5  get_file_position (pkt=<optimized out>) at file_service.c:1015
>#6  0x000000000048688e in SnortHttpInspect (GlobalConf=0x16cb410,
>p=0x196f6d0) at snort_httpinspect.c:4376
>#7  0x00000000004805c9 in HttpInspect (p=<optimized out>,
>context=<optimized out>) at spp_httpinspect.c:211
>#8  0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>,
>policy_id=<optimized out>, p=0x196f6d0) at detect.c:136
>#9  Preprocess (p=0x196f6d0) at detect.c:234
>#10 0x00000000004b344f in _flush_to_seq (st=0x7fffeaf4ab50,
>bytes=<optimized out>, p=0xe91c60, dir=64, dp=<error reading variable:
>Unhandled dwarf expression opcode 0xfa>,
>    sp=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
>dip=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
>    sip=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
>tcpssn=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
>at snort_stream_tcp.c:4336
>#11 0x00000000004b9951 in StreamFlushTalker (p=p at ...3418...=0xe91c60,
>scb=<optimized out>) at snort_stream_tcp.c:4883
>#12 0x0000000000490838 in StreamResponseFlushStream (p=0xe91c60) at
>spp_stream6.c:913
>#13 StreamResponseFlushStream (p=0xe91c60) at spp_stream6.c:906
>#14 0x0000000000492374 in freeSessionApplicationData
>(session=0x7fffc4d81600) at spp_session.c:1756
>#15 0x00000000004be476 in ProcessTcp (scb=scb at ...3418...=0x7fffc4d81600,
>p=p at ...3418...=0xe91c60, tdb=tdb at ...3418...=0x7fffffffdc80,
>s5TcpPolicy=s5TcpPolicy at ...3418...=0x7fffe62b7010) at snort_stream_tcp.c:8629
>#16 0x00000000004c0183 in StreamProcessTcp (p=p at ...3418...=0xe91c60,
>scb=scb at ...3418...=0x7fffc4d81600, s5TcpPolicy=0x7fffe62b7010,
>skey=skey at ...3418...=0x7fffffffdd10) at snort_stream_tcp.c:5639
>#17 0x000000000049016a in StreamProcess (p=0xe91c60, context=<optimized
>out>) at spp_stream6.c:751
>#18 0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>,
>policy_id=<optimized out>, p=0xe91c60) at detect.c:136
>#19 Preprocess (p=p at ...3418...=0xe91c60) at detect.c:234
>#20 0x00000000004317f8 in ProcessPacket (p=p at ...3418...=0xe91c60,
>pkthdr=pkthdr at ...3418...=0x7fffffffde20, pkt=pkt at ...3418...=0x7fffd0695676 "\252",
>ft=ft at ...3418...=0x0) at snort.c:1873
>#21 0x0000000000433c20 in PacketCallback (user=<optimized out>,
>pkthdr=0x7fffffffde20, pkt=0x7fffd0695676 "\252") at snort.c:1717
>#22 0x00000000004efef5 in pcap_process_loop ()
>#23 0x00007ffff7fbdfbe in ?? () from
>/usr/lib/x86_64-linux-gnu/libpcap.so.0.8
>#24 0x00000000004f038d in pcap_daq_acquire ()
>#25 0x000000000045261c in DAQ_Acquire (max=max at ...3418...=0,
>callback=callback at ...3418...=0x433a80 <PacketCallback>, user=user at ...1066....3418...=0x0)
>at sfdaq.c:543
>#26 0x0000000000434d04 in PacketLoop () at snort.c:3268
>#27 SnortMain (argc=11, argv=<optimized out>) at snort.c:920
>#28 0x00007ffff6709ead in __libc_start_main () from
>/lib/x86_64-linux-gnu/libc.so.6
>#29 0x0000000000405aad in _start ()
>
>
>> 
>> Hello,
>> I have a problem with newest version of snort :( For some reason main
>>process enters into infinity loop in getApplicationData (spp_session.c).
>> I cannot determine how it's possible :(
>> 
>> Facts:
>> 1. appData is the same with appData->next
>> 2. appData->protocol is 5 (PP_HTTINSPECT)
>> 3. protocol variable in getApplicaionData is 30 (PP_FILE)
>> 4. it's not only one loop, after set NULL in next snort stack in
>>another endless loop
>> 
>> Any help? Any idea?
>> Cheers,
>> Jul.
>> 
>> 
>>-------------------------------------------------------------------------
>>-----
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> 
>>http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clk
>>trk
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
>> 
>
>
>
>--------------------------------------------------------------------------
>----
>Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>with Interactivity, Sharing, Native Excel Exports, App Integration & more
>Get technology previously reserved for billion-dollar corporations, FREE
>http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clkt
>rk
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>Archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
>Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list