[Snort-users] Snort 1.8-beta4 (Build 13) core dump

Siddhartha Jain s_i_d_j at ...131...
Fri Apr 27 01:55:22 EDT 2001


Caught a bug it seems. Here are the details.

Solaris 2.6 (patched well) on UltraSparc-II.

I downloaded the rules file from whitehats and am using it as it is (just
commented a few).
Here is the conf file :-
var INTERNAL [xx.xx.xx.xx/24,xx.xx.xx.xx/16]
var EXTERNAL any

preprocessor minfrag: 256
preprocessor defrag
preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
preprocessor http_decode: 80
preprocessor portscan: $INTERNAL 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor telnet_decode
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute

var SPADEDIR /opt/sid/snort/spade
preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
preprocessor spade-homenet:
preprocessor spade-threshlearn: 200 24
preprocessor spade-survey:  $SPADEDIR/survey.txt 60
preprocessor spade-stats: entropy uncondprob condprob

config classification: not-suspicious,Not Suspicious Traffic,0
config classification: unknown,Unknown Traffic,1
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,3
config classification: successful-recon-limited,Information Leak,4
config classification: successful-recon-largescale,Large Scale Information
config classification: attempted-dos,Attempted Denial of Service,6
config classification: successful-dos,Denial of Service,7
config classification: attempted-user,Attempted User Privilege Gain,8
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
config classification: successful-user,Successful User Privilege Gain,9
config classification: attempted-admin,Attempted Administrator Privilege
config classification: successful-admin,Successful Administrator Privilege

output alert_full: alert

include /opt/sid/snort/conf/vision.rules

And here's is how i run snort
./snort -D -de -C -c /opt/sid/snort/conf/snort.conf -l /opt/sid/snort/log

And here is what i got from gdb as instructed in "BUGS"

#0  ts_print (tvp=0x802ab8, timebuf=0xefffec78 "12/31/") at snort.c:2024
#1  0x31ee4 in AlertFull (p=0xeffff018, msg=0xefffec78 "12/31/",
file=0x11c0a0) at log.c:732
#2  0x45f54 in SpoAlertFull (p=0xeffff018, msg=0x330c78
    arg=0x15c868) at spo_alert_full.c:103
#3  0x39474 in CallAlertFuncs (p=0xeffff018, message=0x330c78
    head=0x15c238) at rules.c:3428
#4  0x3a5f4 in AlertAction (p=0xeffff018, otn=0x332ce0) at rules.c:4827
#5  0x3974c in EvalHeader (rtn_idx=0x332c90, p=0xeffff018) at rules.c:3684
#6  0x39654 in EvalPacket (List=0x11d314, mode=2, p=0xeffff018) at
#7  0x39504 in Detect (p=0xeffff018) at rules.c:3482
#8  0x39360 in Preprocess (p=0xeffff018) at rules.c:3366
#9  0x2d92c in ProcessPacket (user=0x0, pkthdr=0x12d000, pkt=0x802ac8
    at snort.c:500
#10 0x4af68 in TcpStreamPruneSessions () at spp_tcp_stream.c:987
#11 0x4a26c in TcpStreamPacket (p=0xeffff658) at spp_tcp_stream.c:428
#12 0x39338 in Preprocess (p=0xeffff658) at rules.c:3360
#13 0x2d92c in ProcessPacket (user=0x0, pkthdr=0x12d000, pkt=0x134726 "") at
#14 0x5b3d0 in pcap_read ()
#15 0x5bfc4 in pcap_loop ()
#16 0x2edbc in InterfaceThread (arg=0x12d3b0) at snort.c:1376
#17 0x2d7d0 in main (argc=1233840, argv=0xeffffd44) at snort.c:434


Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the Snort-users mailing list