[Snort-users] Snort SEGV in TCP Stream Reassembler

Christopher E. Cramer chris.cramer at ...799...
Mon Apr 2 14:56:47 EDT 2001


Hi,

If you don't mind, please try grabbing the latest source from the CVS and
then using the stream2 (not stream) preprocessor.

I think that the version you are using has got some pretty old
spp_tcp_stream code in it that definitely had memory issues.  I think that
even a later version of the spp_tcp_stream code may be _less_ likely to
crash.  That said, the stream2 stuff is definitely where I'm spending more
energy right now.

Thanks
-Chris


On Mon, 2 Apr 2001, H D Moore wrote:

> Date: Mon, 2 Apr 2001 13:16:14 -0500
> From: H D Moore <hdm at ...1714...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort SEGV in TCP Stream Reassembler
>
> (gdb) r -c snort.conf -u snort -g snort
> Starting program: /usr/local/bin/snort -c snort.conf -u snort -g snort
>
>
>         --== Initializing Snort ==--
>
> Initializing Network Interface eth0
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = xxxxx
> database: database name = xxxxxxx
> database:          host = xxxxxxxxx
> database: password is set
> database:   sensor name = x.x.x.x
> database:     sensor id = 1
> database: using the "log" facility
> 792 Snort rules read...
> 792 Option Chains linked into 123 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Rule application order: ->activation->dynamic->alert->log->pass
>
>         --== Initialization Complete ==--
>
> -*> Snort! <*-
> Version 1.7
> By Martin Roesch (roesch at ...66..., www.snort.org)
>
>
> [!] WARNING: TCP stream reassembler, Server Bytes in Buffer > Buffer Size
> (49276 > 48504)
> Program received signal SIGSEGV, Segmentation fault.
> 0x1d74a7 in memcpy (dstpp=0x0, srcpp=0x8106acc, len=163)
>     at ../sysdeps/generic/memcpy.c:55
> 55      ../sysdeps/generic/memcpy.c: No such file or directory.
> (gdb)
> (gdb)
> (gdb)
> (gdb) bt
> #0  0x1d74a7 in memcpy (dstpp=0x0, srcpp=0x8106acc, len=163)
>     at ../sysdeps/generic/memcpy.c:55
> #1  0x806392b in TcpStreamPacket (p=0xbfffee08) at spp_tcp_stream.c:530
> #2  0x80542df in Preprocess (p=0xbfffee08) at rules.c:3016
> #3  0x804abd1 in ProcessPacket (user=0x0, pkthdr=0xbffff288, pkt=0x8106a8a "")
>     at snort.c:463
> #4  0x806dd8c in pcap_read ()
> #5  0x806e3ac in pcap_loop ()
> #6  0x804bd03 in InterfaceThread (arg=0x0) at snort.c:1278
> #7  0x804aab3 in main (argc=7, argv=0xbffff3f4) at snort.c:397
> (gdb)
>
> ----------------------------------------------------------------------
> gpg: Warning: using insecure memory!
> gpg: Signature made Mon Apr  2 14:16:14 2001 EDT using DSA key ID 0F1032E1
> gpg: Can't check signature: public key not found
> ----------------------------------------------------------------------
>






More information about the Snort-users mailing list