[Snort-users] Snort 1.8-beta4 (Build 13) core dump

Siddhartha Jain s_i_d_j at ...131...
Fri Apr 27 12:12:05 EDT 2001


Why doesn't the binary compiled with --enable-debug see any traffic? The one
without sees traffic and logs normally but crashes.

Siddhartha

----- Original Message -----
From: "Martin Roesch" <roesch at ...421...>
To: "Siddhartha Jain" <s_i_d_j at ...131...>
Sent: Friday, April 27, 2001 8:52 PM
Subject: Re: [Snort-users] Snort 1.8-beta4 (Build 13) core dump


> Could you run the following commands on the core file you have:
>
> up 2
> p i->iph
> p j->iph
>
> and send me the results?
>
>    -Marty
>
> Siddhartha Jain wrote:
> >
> > Yes, it runs for a while and then crashes. And it does see traffic while
it
> > runs. I will try and see what happens when the box is not connected to
the
> > network.
> >
> > Siddhartha
> >
> > ----- Original Message -----
> > From: "Martin Roesch" <roesch at ...421...>
> > To: "Siddhartha Jain" <s_i_d_j at ...131...>
> >
> > > That call stack makes no sense at all.  Does Snort run for a while and
> > > then crash, or crash right away?  Is it seeing any traffic?  Can you
> > > recreate this crash if Snort can't see any traffic (e.g. if the system
> > > is disconnected from the network)?
> > >
> > >
> > >    -Marty
> > >
> > > Siddhartha Jain wrote:
> > > >
> > > > coredumped again ..
> > > >
> > > > #0  GetIfrMTU (name=0x11c24c0 "") at snort.c:1773
> > > > 1773            LogMessage("Automagic MTU discovery failed. Using
> > default
> > > > %i", retval);
> > > > (gdb) bt
> > > > #0  GetIfrMTU (name=0x11c24c0 "") at snort.c:1773
> > > > #1  0x31ee4 in PrintIPPkt (fp=0xeffff020, type=-268440448,
p=0x11c108)
> > at
> > > > log.c:484
> > > > #2  0x45fa0 in fragcompare (i=0xeffff020, j=0xefffec80) at
> > spp_defrag.c:226
> > > > #3  0x39484 in ParsePort (prule_port=0xeffff020
"\001\034$À\001\034$Ð",
> > > > hi_port=0x3345e0,
> > > >     lo_port=0x15c4c8, proto=0x3da1c "\220\022 \204²\206\177ÿ\f\200",
> > > > not_flag=0x32f1d8)
> > > >     at rules.c:2405
> > > > #4  0x3a604 in CallAlertPlugins (p=0x1, message=0x336a50 "") at
> > rules.c:3452
> > > > #5  0x3975c in ParseMessage (msg=0x336a00 "") at rules.c:2574
> > > > #6  0x39664 in ConvPort (port=0x11b000 "", proto=0xeffff020
> > > > "\001\034$À\001\034$Ð")
> > > >     at rules.c:2503
> > > > #7  0x39514 in ParsePort (prule_port=0xeffff020
"\001\034$À\001\034$Ð",
> > > > hi_port=0x4fdf0,
> > > >     lo_port=0x11c2afc, proto=0xffffffff <Address 0xffffffff out of
> > bounds>,
> > > > not_flag=0x1)
> > > >     at rules.c:2431
> > > > #8  0x39370 in ParseIP (paddr=0xeffff020 "\001\034$À\001\034$Ð",
> > > > address_data=0x12d400)
> > > >     at rules.c:2336
> > > > #9  0x2d92c in main (argc=0, argv=0x12d400) at snort.c:434
> > > > #10 0x4afb4 in send_data_network (d=0x11c248, output=0x11c2cc "") at
> > > > spo_xml.c:956
> > > > #11 0x4a2b8 in ParseXmlArgs (args=0x8 "") at spo_xml.c:445
> > > > #12 0x39348 in ParseIP (paddr=0xeffff660 "ïÿû@",
address_data=0x12d400)
> > at
> > > > rules.c:2336
> > > > #13 0x2d92c in main (argc=0, argv=0x12d400) at snort.c:434
> > > > #14 0x5b41c in init_mem () at spp_anomsensor.c:3084
> > > > #15 0x5c010 in checkpoint (filename=0x1326e8 "") at
> > spp_anomsensor.c:3313
> > > > #16 0x2edbc in SetPktProcessor (num=1233944) at snort.c:1168
> > > > #17 0x2d7d0 in main (argc=1233944, argv=0xeffffd4c) at snort.c:369
> > > > Cannot access memory at address 0x10000.
> > > >
> > > > Siddhartha
> > > >
> > > > _________________________________________________________
> > > >
> > > > Do You Yahoo!?
> > > >
> > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > > --
> > > Martin Roesch
> > > roesch at ...421...
> > > http://www.snort.org
> >
> > _________________________________________________________
> >
> > Do You Yahoo!?
> >
> > Get your free @yahoo.com address at http://mail.yahoo.com
>
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list