[Snort-users] Snort 1.8-beta4 (Build 13) core dump

Martin Roesch roesch at ...421...
Fri Apr 27 09:33:39 EDT 2001


Fixed and committed.

   -Marty

Siddhartha Jain wrote:
> 
> Hi,
> 
> Sorry, the gdb output i sent was with the binary which was built without the
> debugging info. Here is the entire info again and gdb info as described in
> BUGS :-
> 
> Caught a bug it seems. Here are the details.
> 
> Solaris 2.6 (patched well) on UltraSparc-II.
> 
> I downloaded the rules file from whitehats and am using it as it is (just
> commented a few).
> Here is the conf file :-
> ----------------------------------------------------------------------------
> ---------------------
> var INTERNAL [xx.xx.xx.xx/24,xx.xx.xx.xx/16]
> var EXTERNAL any
> var SMTP $INTERNAL
> var HTTP_SERVERS $INTERNAL
> var DNS_SERVERS
> [xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32]
> 
> preprocessor minfrag: 256
> preprocessor defrag
> preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
> preprocessor http_decode: 80
> preprocessor portscan: $INTERNAL 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> preprocessor telnet_decode
> preprocessor rpc_decode: 111 32771
> preprocessor bo: -nobrute
> 
> var SPADEDIR /opt/sid/snort/spade
> preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> preprocessor spade-homenet: 202.87.0.0/16
> preprocessor spade-threshlearn: 200 24
> preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> preprocessor spade-stats: entropy uncondprob condprob
> 
> config classification: not-suspicious,Not Suspicious Traffic,0
> config classification: unknown,Unknown Traffic,1
> config classification: bad-unknown,Potentially Bad Traffic, 2
> config classification: attempted-recon,Attempted Information Leak,3
> config classification: successful-recon-limited,Information Leak,4
> config classification: successful-recon-largescale,Large Scale Information
> Leak,5
> config classification: attempted-dos,Attempted Denial of Service,6
> config classification: successful-dos,Denial of Service,7
> config classification: attempted-user,Attempted User Privilege Gain,8
> config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
> config classification: successful-user,Successful User Privilege Gain,9
> config classification: attempted-admin,Attempted Administrator Privilege
> Gain,10
> config classification: successful-admin,Successful Administrator Privilege
> Gain,11
> 
> output alert_full: alert
> 
> include /opt/sid/snort/conf/vision.rules
> ----------------------------------------------------------------------
> 
> And here's is how i run snort
> ./snort -D -de -C -c /opt/sid/snort/conf/snort.conf -l /opt/sid/snort/log
> -----------------------------------------------------------------------
> 
> And here is what i got from gdb as instructed in "BUGS"
> 
> #0  GetIfrMTU (name=0x1dfe368 "") at snort.c:1773
> #1  0x31ee4 in PrintIPPkt (fp=0xeffff038, type=-268440424, p=0x11c0a0) at
> log.c:484
> #2  0x45f54 in fragcompare (i=0xeffff038, j=0xefffec98) at spp_defrag.c:209
> #3  0x39474 in ParsePort (prule_port=0xeffff038 "\001ßãh\001ßãx",
> hi_port=0x2ad318,
>     lo_port=0x15c460,
>     proto=0x3cfec "Ð\004 \b\226\002çlÚ\004 \f\230\003 \001Ð# \\Ò\004
> \004\220\020",
>     not_flag=0x2ba720) at rules.c:2405
> #4  0x3a5f4 in Detect (p=0x1) at rules.c:3466
> #5  0x3974c in ParseMessage (msg=0x2c0dd8 "") at rules.c:2572
> #6  0x39654 in ConvPort (port=0x11ac00 "", proto=0xeffff038
> "\001ßãh\001ßãx") at rules.c:2500
> #7  0x39504 in ParsePort (prule_port=0xeffff038 "\001ßãh\001ßãx",
> hi_port=0x4fda4,
>     lo_port=0x1dfe5e9,
>     proto=0x1dfe5e7 "j\ent size=\"1\">Mail this page to a
> friend</font></a></b></font></b></font></div>\n          </td>\n     0.30)
> Cadbury   449.55 (-0.45)          Castrol   224.5 (-3.05)          Century
> Text  35."..., not_flag=0x1) at rules.c:2429
> #8  0x39360 in ParseIP (paddr=0xeffff038 "\001ßãh\001ßãx",
> address_data=0x12d000) at rules.c:2338
> #9  0x2d92c in main (argc=0, argv=0x12d000) at snort.c:434
> #10 0x4af68 in send_data_network (d=0x11c1e0, output=0x11c264 "") at
> spo_xml.c:956
> #11 0x4a26c in ParseXmlArgs (args=0x8 "") at spo_xml.c:445
> #12 0x39338 in ParseIP (paddr=0xeffff678 "ïÿûX", address_data=0x12d000) at
> rules.c:2332
> #13 0x2d92c in main (argc=0, argv=0x12d000) at snort.c:434
> #14 0x5b3d0 in init_mem () at spp_anomsensor.c:3079
> #15 0x5bfc4 in checkpoint (filename=0x132680 "") at spp_anomsensor.c:3313
> #16 0x2edbc in SetPktProcessor (num=1233840) at snort.c:1168
> #17 0x2d7d0 in main (argc=1233840, argv=0xeffffd64) at snort.c:369
> Cannot access memory at address 0x10000.
> 
> Siddhartha
> 
> _________________________________________________________
> 
> Do You Yahoo!?
> 
> Get your free @yahoo.com address at http://mail.yahoo.com

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list