[Snort-users] Coredump - 1.7 - defrag.

Dragos Ruiu dr at ...381...
Sat Jan 27 02:11:35 EST 2001


Weird...  If you notice fragcompare is being called with the same address
for both i and j.

Sigh... I'll look through the defragger code some more... maybe something silly
snuck in in various edits.

cheers,
--dr


On Fri, 26 Jan 2001, Martin Roesch wrote:
> Hey Scott, 
>      Could you try this in gdb:
> 
> p i->iph
> p j->iph
> 
> thanks!
> 
>    -Marty
> 
> "Scott A. McIntyre" wrote:
> > 
> > Hi,
> > 
> > I'm putting 1.7 through its paces but have found it to die pretty darn
> > quickly with high throughput on a redhat 7 box, 2.4 kernel.
> > 
> > Here's the dump:
> > 
> > Loaded symbols for /lib/libnss_nis.so.2
> > #0  0x805bc47 in fragcompare (i=0x8b7c5d0, j=0x8b7c5d0) at spp_defrag.c:171
> > 171         if(SADDR(i) > SADDR(j))
> > 
> > (gdb) bt
> > 
> > #0  0x805bc47 in fragcompare (i=0x8b7c5d0, j=0x8b7c5d0) at spp_defrag.c:171
> > #1  0x805bdeb in fragsplay (i=0x8b7c5d0, t=0x84c2bc8) at spp_defrag.c:244
> > #2  0x805bfba in fragdelete (i=0x8b7c5d0, t=0x84c2bc8) at spp_defrag.c:378
> > #3  0x805c74c in PreprocDefrag (p=0xbffff608) at spp_defrag.c:938
> > #4  0x8054226 in Preprocess (p=0xbffff608) at rules.c:3016
> > #5  0x804b56f in ProcessPacket (user=0x0, pkthdr=0xbffffa78, pkt=0x80902e8 "") at snort.c:463
> > #6  0x806adb0 in pcap_read_packet ()
> > #7  0x806bb3b in pcap_loop ()
> > #8  0x804c449 in InterfaceThread (arg=0x0) at snort.c:1278
> > #9  0x804b43f in main (argc=6, argv=0xbffffc2c) at snort.c:397
> > #10 0x4019fb5c in __libc_start_main (main=0x804aebc <main>, argc=6, ubp_av=0xbffffc2c, init=0x804a294 <_init>,
> >     fini=0x8073ddc <_fini>, rtld_fini=0x4000d634 <_dl_fini>,
> > stack_end=0xbffffc24) at ../sysdeps/generic/libc-start.c:129
> > 
> > I suspect if I stop using the defragger it'll work better.  :-)  Will
> > try...
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
                                                                    http://cansecwest.com
CanSecWest/core01: March 28-30, Vancouver B.C.  ------------^
Speakers: Renaud Deraison/Nessus Attack Scanner, Martin Roesch/Snort/Advanced IDS,
  Ron Gula/Enterasys/IDS Evasion, Dug Song/Arbor Networks/Monkey in the Middle,
  RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo DeRaadt/OpenBSD,
  K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank Heidt/@Stake, 
  Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Network Mapping,
  Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology Demo,
  Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave Dittrich/UW/Forensics,   
  Sebastien Lacoste-Seris & Nicolas Fischbach/COLT Telecom/Securite.Org/Kerberized
  SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux





More information about the Snort-users mailing list