[Snort-users] Snort 1.8-beta4 (Build 13) core dump

Siddhartha Jain s_i_d_j at ...131...
Fri Apr 27 08:45:51 EDT 2001


Hi,

Sorry, the gdb output i sent was with the binary which was built without the
debugging info. Here is the entire info again and gdb info as described in
BUGS :-

Caught a bug it seems. Here are the details.

Solaris 2.6 (patched well) on UltraSparc-II.

I downloaded the rules file from whitehats and am using it as it is (just
commented a few).
Here is the conf file :-
----------------------------------------------------------------------------
---------------------
var INTERNAL [xx.xx.xx.xx/24,xx.xx.xx.xx/16]
var EXTERNAL any
var SMTP $INTERNAL
var HTTP_SERVERS $INTERNAL
var DNS_SERVERS
[xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32]


preprocessor minfrag: 256
preprocessor defrag
preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
preprocessor http_decode: 80
preprocessor portscan: $INTERNAL 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor telnet_decode
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute

var SPADEDIR /opt/sid/snort/spade
preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
preprocessor spade-homenet: 202.87.0.0/16
preprocessor spade-threshlearn: 200 24
preprocessor spade-survey:  $SPADEDIR/survey.txt 60
preprocessor spade-stats: entropy uncondprob condprob

config classification: not-suspicious,Not Suspicious Traffic,0
config classification: unknown,Unknown Traffic,1
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,3
config classification: successful-recon-limited,Information Leak,4
config classification: successful-recon-largescale,Large Scale Information
Leak,5
config classification: attempted-dos,Attempted Denial of Service,6
config classification: successful-dos,Denial of Service,7
config classification: attempted-user,Attempted User Privilege Gain,8
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
config classification: successful-user,Successful User Privilege Gain,9
config classification: attempted-admin,Attempted Administrator Privilege
Gain,10
config classification: successful-admin,Successful Administrator Privilege
Gain,11

output alert_full: alert

include /opt/sid/snort/conf/vision.rules
----------------------------------------------------------------------

And here's is how i run snort
./snort -D -de -C -c /opt/sid/snort/conf/snort.conf -l /opt/sid/snort/log
-----------------------------------------------------------------------

And here is what i got from gdb as instructed in "BUGS"

#0  GetIfrMTU (name=0x1dfe368 "") at snort.c:1773
#1  0x31ee4 in PrintIPPkt (fp=0xeffff038, type=-268440424, p=0x11c0a0) at
log.c:484
#2  0x45f54 in fragcompare (i=0xeffff038, j=0xefffec98) at spp_defrag.c:209
#3  0x39474 in ParsePort (prule_port=0xeffff038 "\001ßãh\001ßãx",
hi_port=0x2ad318,
    lo_port=0x15c460,
    proto=0x3cfec "Ð\004 \b\226\002çlÚ\004 \f\230\003 \001Ð# \\Ò\004
\004\220\020",
    not_flag=0x2ba720) at rules.c:2405
#4  0x3a5f4 in Detect (p=0x1) at rules.c:3466
#5  0x3974c in ParseMessage (msg=0x2c0dd8 "") at rules.c:2572
#6  0x39654 in ConvPort (port=0x11ac00 "", proto=0xeffff038
"\001ßãh\001ßãx") at rules.c:2500
#7  0x39504 in ParsePort (prule_port=0xeffff038 "\001ßãh\001ßãx",
hi_port=0x4fda4,
    lo_port=0x1dfe5e9,
    proto=0x1dfe5e7 "j\ent size=\"1\">Mail this page to a
friend</font></a></b></font></b></font></div>\n          </td>\n     0.30)
Cadbury   449.55 (-0.45)          Castrol   224.5 (-3.05)          Century
Text  35."..., not_flag=0x1) at rules.c:2429
#8  0x39360 in ParseIP (paddr=0xeffff038 "\001ßãh\001ßãx",
address_data=0x12d000) at rules.c:2338
#9  0x2d92c in main (argc=0, argv=0x12d000) at snort.c:434
#10 0x4af68 in send_data_network (d=0x11c1e0, output=0x11c264 "") at
spo_xml.c:956
#11 0x4a26c in ParseXmlArgs (args=0x8 "") at spo_xml.c:445
#12 0x39338 in ParseIP (paddr=0xeffff678 "ïÿûX", address_data=0x12d000) at
rules.c:2332
#13 0x2d92c in main (argc=0, argv=0x12d000) at snort.c:434
#14 0x5b3d0 in init_mem () at spp_anomsensor.c:3079
#15 0x5bfc4 in checkpoint (filename=0x132680 "") at spp_anomsensor.c:3313
#16 0x2edbc in SetPktProcessor (num=1233840) at snort.c:1168
#17 0x2d7d0 in main (argc=1233840, argv=0xeffffd64) at snort.c:369
Cannot access memory at address 0x10000.


Siddhartha



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list