[Snort-users] [Fwd: snort crash ...]

Blue Boar BlueBoar at ...182...
Fri Jul 28 11:15:49 EDT 2000


Thought you folks might be interested.  

					BB

Fabio Pietrosanti wrote:
> 
> hi look here...
> 
> Jul 25 12:59:16 naif libsafe.so[7023]: version 1.3
> Jul 25 12:59:16 naif libsafe.so[7023]: detected an attempt to write across
> stack boundary.
> Jul 25 12:59:16 naif libsafe.so[7023]: terminating /usr/local/sbin/snort
> Jul 25 12:59:16 naif libsafe.so[7023]: overflow caused by memcpy()
> 
> i try to find why it crash, and it appens when on my network transit igmp
> fragment like this
> 13:03:25.733060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
> 27565:410 at ...183...+)
> 13:03:25.733702 127.0.0.1 > 151.20.148.103: (frag 27565:410 at ...184...+)
> 13:03:25.745060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
> 27565:410 at ...183...+)
> 13:03:25.745389 127.0.0.1 > 151.20.148.103: (frag 27565:410 at ...184...+)
> 13:03:25.764985 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
> 27565:410 at ...183...+)
> 13:03:25.765303 127.0.0.1 > 151.20.148.103: (frag 27565:410 at ...184...+)
> 
> i start a strace on snort's pid and this is the output when it crash:
> recvfrom(3, "\377\377\377\377\377\377\0\20Z\372"..., 1564, 0,
> {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 243
> ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> write(1, "07/25-12:59:14.177329 194.185.73"..., 62) = 62
> write(1, "UDP TTL:128 TOS:0x0 ID:60408 \n", 30) = 30
> write(1, "Len: 209\n", 9)               = 9
> write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
> recvfrom(3, "\377\377\377\377\377\377\0`\10\304"..., 1564, 0,
> {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 249
> ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> write(1, "07/25-12:59:14.177794 194.185.73"..., 62) = 62
> write(1, "UDP TTL:32 TOS:0x0 ID:58686 \n", 29) = 29
> write(1, "Len: 215\n", 9)               = 9
> write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
> recvfrom(3, "\1\200\302\0\0\0\0P\275q\267\223"..., 1564, 0,
> {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 60
> ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> recvfrom(3, "\3\0\0\0\0\1\0\240$[\243\26\0\255"..., 1564, 0,
> {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 187
> ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> recvfrom(3, "\0\260\216n\3408\0P\332>t?\10\0E"..., 1564, 0,
> {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 444
> ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> write(1, "07/25-12:59:16.466164 127.0.0.1 "..., 50) = 50
> write(1, "Proto: 2 TTL:255 TOS:0x0 ID:2756"..., 38) = 38
> write(1, "Frag Offset: 0x0   Frag Size: 0x"..., 36) = 36
> write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
> brk(0x8373000)                          = 0x8373000
> readlink("/proc/self/exe", "/usr/local/sbin/snort", 4094) = 21
> brk(0x8376000)                          = 0x8376000
> time([964522756])                       = 964522756
> getpid()                                = 7023
> rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0
> socket(PF_UNIX, SOCK_DGRAM, 0)          = 7
> fcntl(7, F_SETFD, FD_CLOEXEC)           = 0
> connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = -1 EPROTOTYPE
> (Protocol wrong type for socket)
> close(7)                                = 0
> socket(PF_UNIX, SOCK_STREAM, 0)         = 7
> fcntl(7, F_SETFD, FD_CLOEXEC)           = 0
> connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = 0
> send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 50, 0) = 50
> rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0
> time([964522756])                       = 964522756
> getpid()                                = 7023
> rt_sigaction(0xd, 0xbfffe170, 0xbfffe0e4, 0x8, 0xd) = 0
> send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 90, 0) = 90
> rt_sigaction(0xd, 0xbfffe174, 0, 0x8, 0xd) = 0
> time([964522756])                       = 964522756
> getpid()                                = 7023
> rt_sigaction(0xd, 0xbfffe164, 0xbfffe0d8, 0x8, 0xd) = 0
> send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 72, 0) = 72
> rt_sigaction(0xd, 0xbfffe168, 0, 0x8, 0xd) = 0
> time([964522756])                       = 964522756
> getpid()                                = 7023
> rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0
> send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 66, 0) = 66
> rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0
> close(7)                                = 0
> write(2, "Detected an attempt to write acr"..., 52) = 52
> write(2, "Terminating /usr/local/sbin/snor"..., 35) = 35
> _exit(1)                                = ?
> 
> That's all .
> 
> naif




More information about the Snort-users mailing list