[Snort-users] Today's updates

Len Burns lenb at ...750...
Sun Nov 19 08:59:30 EST 2000


Since the below, and a few changes in my rules file, I am seeing good
results with the address list, now I have a new quirk.  I am seeing
snort crash, with no logged errors.  When I performed a postmortem
with gdb the backtrace looks like this:
(gdb) bt
#0  0x401a8e28 in free ()
#1  0xacb500 in ?? ()
#2  0x1ca98 in TcpStreamPruneSessions () at spp_tcp_stream.c:599
#3  0x1c3e6 in TcpStreamPacket (p=0xbfbfd26c) at spp_tcp_stream.c:244
#4  0xc2b9 in Preprocess (p=0xbfbfd26c) at rules.c:2946
#5  0x1eea in ProcessPacket (user=0x0, pkthdr=0x29000, pkt=0x29012 "")
    at snort.c:465
#6  0x40046d91 in pcap_read ()
#7  0x4004729f in pcap_dispatch ()
#8  0x400472d7 in pcap_loop ()
#9  0x3862 in InterfaceThread (arg=0x0) at snort.c:1252
#10 0x1ded in main (argc=8, argv=0xbfbfd784) at snort.c:398

I am seeing no more leakage from the defrag module, memory use looks
very stable under NetBSD-1.4.2 i386.  Thanks bunches for all of your


On Sat, 18 Nov 2000, roesch wrote:

> Hi Guys,
>      I worked on the IP list code some more today, it seems to be working better now under all "normal" configurations I have.  (this should fix the problem you indicated today Len)  If you've been playing with it and had problems, check out the latest.  I also cleaned up the TCP stream preprocessor a bit and changed its memory management to allocate buffers as indicated by the window size of the connections.  I also restated the TCP connection states with #define variables, cleaned up the new packet/log counters, and switched to calling it version 1.7-beta4. There are some other minor little tweaks in there as well.
> Additionally, last night I redefined all of the "!$HOME_NET" variables in the rules files that ship with Snort to $EXTERNAL_NET.  This works better with the new IP parsing code, so please define your "!"'s *inside* of your vars from now on if you can. :)
>      -Marty
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Len Burns,
Site Engineer for Sasquatch Computer
lenb at ...750...
Voice: 831-420-1053
Fax: 831-420-0468

More information about the Snort-users mailing list