[Snort-users] Re: Snort crash...

Dragos Ruiu dr at ...50...
Tue Aug 22 22:52:41 EDT 2000


Hi there,

Marty forwarded your mail, and I seem to be on snort crash duty tonight :-)
Could you please clarify your crash...  does it only crash with the defragger ?
And are you using the broken defragger that shipped with the 1.6.3
distribution or have you updated to the Beta18 or Beta17 releases that work
under RedHat?

And could you get a stack dump from the core file to help chase
down where and why it crashed? A local variable dump may be good too... 

I suspect an old defragger is the most likely scenario here.
You should be able to find a fixed spp_defrag.c in the CVS tree
at sourceforge. Hope this helps, and if it doesn't forward your
core stack dump and I'll add this one to the investigation list...

cheers,
--dr

Renaldo writes:
> Hi Marty...
> 
> First of all congrats for your wonderful work with Snort.
> 
> I have a situation here that can be caused by a bug.... anyway
> 
> I have a;
> 
> Pentium III 650Mz
> 256 Mb RAM
> Linux RedHat 6.2 ( 2.2.14-5.0 )
> 
> and using:
> 
> snort -A full -D -i eth0 -c /usr/snort-1.6.3/RULES/snort-lib1 -s ip
> Rules: 07272k.rules and all *-lib
> 
> Every hour I have a core dump and snort daemon dies...
> 
> I am(was) using "preprocessor defrag"... and before I wrote this message I
> decided to turn it off.. untill now its quite normal.

> Take a look at part of my core dump:
> 
> CORE
> snort
> snort -A full -D -i eth0 -c /usr/snort-1.6.3/RULES/snort-lib1 -s ip
> CORE
>  snort
> VUUUU
> 85:0:99999:7:::
> :0:99999:7:::
> egal token: %s
> illegal char '%c'
> fatal flex scanner internal error--no action found
> fatal flex scanner internal error--end of buffer missed
> fatal error - scanner input buffer overflow
> out of dynamic memory in yy_create_buffer()
> out of dynamic memory in yy_scan_buffer()
> out of dynamic memory in yy_scan_bytes()
> bad buffer in yy_scan_bytes()
> @(#) $Header: grammar.y,v 1.56 96/11/02 21:54:55 leres Exp $ (LBL)
> 6520
> !"#$%&'()*+,4
> parser stack overflow
> parse error
> alert tcp !200.214.72.0/26 any -> 200.214.72.0/26 80 (msg:"IDS209 -
> WEB-MISC - Phorum Violation"; flags: AP; content:"violation.php3"; nocase;)
> eth0
> ICMP
> IGMP
> IPENCAP
> PROTO007
> PROTO009
> ...
> 
> I appreciate any help.
> 
> Thanks in advance.
> 
> Rinaldo Ribeiro, GCIA


-- 
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D 
pgp key: http://www.dursec.com/drkey.asc




More information about the Snort-users mailing list