[Snort-users] beta5

Martin Roesch roesch at ...1...
Sat Jul 22 01:52:04 EDT 2000


Hi Andreas,
     I'm fairly certain I've solved this problem with version 1.6.3 (which I'm
going to release later this evening), I just ran ~600000 packets from ISIC
past Snort with that rule set and it didn't crash. :)

    -Marty


"Andreas Östling" wrote:
> 
> I have had it up and running on a Linux box for about 24 hours and it
> works just fine. However, while doing some testing at home with isic
> (http://expert.cc.purdue.edu/~frantzen/) I was able to crash it serveral
> times using 07122kany.rules.
> 
> On 192.168.0.2:
> ./isic -s 192.168.0.2 -d 192.168.0.1
> 
> On 192.168.0.1:
> -*> Snort! <*-
> Version 1.6.3-beta5
> By Martin Roesch (roesch at ...66..., www.clark.net/~roesch)
> Segmentation fault (core dumped)
> 
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-redhat-linux"...
> Core was generated by `./snort -d -l /var/log/snort-logs -c 07122kany.rules'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/lib/libpq.so.2.0...done.
> Reading symbols from /lib/libnsl.so.1...done.
> Reading symbols from /lib/libc.so.6...done.
> Reading symbols from /lib/libcrypt.so.1...done.
> Reading symbols from /lib/ld-linux.so.2...done.
> Reading symbols from /lib/libnss_files.so.2...done.
> #0  0x8052970 in IcmpTypeCheck (p=0xbffff724, otn=0x80a1668,
> fp_list=0x80a1ff8) at sp_icmp_type_check.c:149
> 149         if (((IcmpTypeCheckData *)
> otn->ds_list[PLUGIN_ICMP_TYPE])->icmp_type == p->icmph->type)
> (gdb) where
> #0  0x8052970 in IcmpTypeCheck (p=0xbffff724, otn=0x80a1668,
> fp_list=0x80a1ff8) at sp_icmp_type_check.c:149
> #1  0x80514f5 in EvalOpts (List=0x80a1668, p=0xbffff724) at rules.c:2895
> #2  0x8051508 in EvalOpts (List=0x809ece0, p=0xbffff724) at rules.c:2897
> #3  0x8051508 in EvalOpts (List=0x809dd68, p=0xbffff724) at rules.c:2897
> #4  0x8051508 in EvalOpts (List=0x809bda0, p=0xbffff724) at rules.c:2897
> #5  0x8051508 in EvalOpts (List=0x8099eb0, p=0xbffff724) at rules.c:2897
> #6  0x8051508 in EvalOpts (List=0x80962d0, p=0xbffff724) at rules.c:2897
> #7  0x8051508 in EvalOpts (List=0x8095330, p=0xbffff724) at rules.c:2897
> #8  0x8051358 in EvalHeader (rtn_idx=0x8076378, p=0xbffff724) at
> rules.c:2661
> #9  0x805132e in EvalPacket (List=0x806a4f8, mode=2, p=0xbffff724) at
> rules.c:2610
> #10 0x8051271 in Detect (p=0xbffff724) at rules.c:2482
> #11 0x80511e4 in Preprocess (p=0xbffff724) at rules.c:2373
> #12 0x804a506 in ProcessPacket (user=0x0, pkthdr=0xbffffb80, pkt=0x806bccc
> "") at snort.c:380
> #13 0x8056eaa in pcap_read ()
> #14 0x8057443 in pcap_loop ()
> #15 0x804a38e in main (argc=8, argv=0xbffffcb4) at snort.c:304
> (gdb)
> 
> Using Linux 2.2.15, x86.
> 
> /Andreas
> 
> > How's beta5 working for people??
> >
> > --
> > Martin Roesch                      <roesch at ...2...>
> > Core R&D                         http://www.hiverworld.com
> > Hiverworld, Inc.       Continuous Adaptive Risk Management
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list