[Snort-users] Snort-1.6.3-beta4

Dragos Ruiu dr at ...50...
Tue Jul 18 17:06:44 EDT 2000


That message is indeed from the defragger, which is not stable yet.
I agree with the suggestion that you not enable it.  I'm still chasing
"something" that fubars things on a slow corruption kind of scale.
that seems to be triggered by reassembly as far as I've been able
to isolate it.

That message is froma sanity check built into the defragger that checks
the three pointers it uses as input (bpf header, packet, ipheader in packet)
for null values.  Upon seeing this the defragger return()'s and does not
examine the packet.  I'm currently investigating some enhanced
debugging tools... :-/

I'll announce any significant status changes to the list and thanks to all
those that have contributed to the testing.

cheers,
--dr

On Tue, 18 Jul 2000, Ralf Hildebrandt wrote:
> 
> Am 18.07.2000 um 08:55:28 +0200 schrieb Ralf Hildebrandt folgendes:
> > On Son, Jul 16, 2000 at 03:44:24 -0400, Martin Roesch wrote:
> > 
> > > http://host22-107.prestige.net/snort-1.6.3-beta4.tar.gz
> > > 
> > > Let me know how it works for you guys!
> > 
> > Seems to work for me (HP-UX 10.20)
> > Haven't tried enabling the defrag prepocessor, though
> 
> Hmm, I tested the lateset (beta 5??) on FreeBSD 4.0 and HP-UX 10.20, and on
> both I got "Garbage Packet with Null Pointer discarded!" messages in my log:
> 
> Jul 18 09:59:13 snort[84426]: Garbage Packet with Null Pointer discarded!
> Jul 18 09:59:44 last message repeated 16 times
> Jul 18 10:01:46 last message repeated 63 times
> Jul 18 10:11:47 last message repeated 312 times
> Jul 18 10:21:29 last message repeated 304 times                     
> 
> And on the HP-UX box snort died shortly afterwards.
> 
> I dropped the preprocessor: defrag from my rules and now it seems to run
> again.
> 
> -- 
> Ralf.Hildebrandt at ...22...
> Dipl.-Informatiker                                        innominate AG
> System Engineer                                       networking people
> tel: +49.30.308806-62 fax: -77  web: http://innominate.de  pgp: /pgp/rh
> 

----------------------------------------
Content-Type: application/pgp-signature; name="unnamed"
Content-Transfer-Encoding: 7bit
Content-Description: 
----------------------------------------

-- 
dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com




More information about the Snort-users mailing list