[Snort-users] Snort 1.8-beta4 (Build 13) core dump

Martin Roesch roesch at ...421...
Fri Apr 27 02:06:49 EDT 2001


Try running it without the -C switch and see if it continues to core.

    -Marty

Siddhartha Jain wrote:
> 
> Hi,
> 
> Caught a bug it seems. Here are the details.
> 
> Solaris 2.6 (patched well) on UltraSparc-II.
> 
> I downloaded the rules file from whitehats and am using it as it is (just
> commented a few).
> Here is the conf file :-
> ----------------------------------------------------------------------------
> ---------------------
> var INTERNAL [xx.xx.xx.xx/24,xx.xx.xx.xx/16]
> var EXTERNAL any
> var SMTP $INTERNAL
> var HTTP_SERVERS $INTERNAL
> var DNS_SERVERS
> [xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32]
> 
> preprocessor minfrag: 256
> preprocessor defrag
> preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
> preprocessor http_decode: 80
> preprocessor portscan: $INTERNAL 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> preprocessor telnet_decode
> preprocessor rpc_decode: 111 32771
> preprocessor bo: -nobrute
> 
> var SPADEDIR /opt/sid/snort/spade
> preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> preprocessor spade-homenet: 202.87.0.0/16
> preprocessor spade-threshlearn: 200 24
> preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> preprocessor spade-stats: entropy uncondprob condprob
> 
> config classification: not-suspicious,Not Suspicious Traffic,0
> config classification: unknown,Unknown Traffic,1
> config classification: bad-unknown,Potentially Bad Traffic, 2
> config classification: attempted-recon,Attempted Information Leak,3
> config classification: successful-recon-limited,Information Leak,4
> config classification: successful-recon-largescale,Large Scale Information
> Leak,5
> config classification: attempted-dos,Attempted Denial of Service,6
> config classification: successful-dos,Denial of Service,7
> config classification: attempted-user,Attempted User Privilege Gain,8
> config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
> config classification: successful-user,Successful User Privilege Gain,9
> config classification: attempted-admin,Attempted Administrator Privilege
> Gain,10
> config classification: successful-admin,Successful Administrator Privilege
> Gain,11
> 
> output alert_full: alert
> 
> include /opt/sid/snort/conf/vision.rules
> ----------------------------------------------------------------------
> 
> And here's is how i run snort
> ./snort -D -de -C -c /opt/sid/snort/conf/snort.conf -l /opt/sid/snort/log
> -----------------------------------------------------------------------
> 
> And here is what i got from gdb as instructed in "BUGS"
> 
> #0  ts_print (tvp=0x802ab8, timebuf=0xefffec78 "12/31/") at snort.c:2024
> #1  0x31ee4 in AlertFull (p=0xeffff018, msg=0xefffec78 "12/31/",
> file=0x11c0a0) at log.c:732
> #2  0x45f54 in SpoAlertFull (p=0xeffff018, msg=0x330c78
> "IDS259/http-alibaba-overflow",
>     arg=0x15c868) at spo_alert_full.c:103
> #3  0x39474 in CallAlertFuncs (p=0xeffff018, message=0x330c78
> "IDS259/http-alibaba-overflow",
>     head=0x15c238) at rules.c:3428
> #4  0x3a5f4 in AlertAction (p=0xeffff018, otn=0x332ce0) at rules.c:4827
> #5  0x3974c in EvalHeader (rtn_idx=0x332c90, p=0xeffff018) at rules.c:3684
> #6  0x39654 in EvalPacket (List=0x11d314, mode=2, p=0xeffff018) at
> rules.c:3599
> #7  0x39504 in Detect (p=0xeffff018) at rules.c:3482
> #8  0x39360 in Preprocess (p=0xeffff018) at rules.c:3366
> #9  0x2d92c in ProcessPacket (user=0x0, pkthdr=0x12d000, pkt=0x802ac8
> "\001\177\0248E\020\023\b")
>     at snort.c:500
> #10 0x4af68 in TcpStreamPruneSessions () at spp_tcp_stream.c:987
> #11 0x4a26c in TcpStreamPacket (p=0xeffff658) at spp_tcp_stream.c:428
> #12 0x39338 in Preprocess (p=0xeffff658) at rules.c:3360
> #13 0x2d92c in ProcessPacket (user=0x0, pkthdr=0x12d000, pkt=0x134726 "") at
> snort.c:500
> #14 0x5b3d0 in pcap_read ()
> #15 0x5bfc4 in pcap_loop ()
> #16 0x2edbc in InterfaceThread (arg=0x12d3b0) at snort.c:1376
> #17 0x2d7d0 in main (argc=1233840, argv=0xeffffd44) at snort.c:434
> 
> Siddhartha
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list