[Snort-users] 1.8b5 build22 crash

Martin Roesch roesch at ...1935...
Sat May 12 14:44:54 EDT 2001


Interesting, I've seen a couple reports of this crash but have been
unable to recreate it.  Hmm, might be an interaction between the syslog
plugin and spp_portscan...

     -Marty

H D Moore wrote:
> 
>         --== Initializing Snort ==--
> Checking PID path...
> PATH_VARRUN is set to /var/run/ on this operating system
> 
> Initializing Network Interface eth0
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /home/snort/rules/snort.conf
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Using LOCAL time
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = snort
> database: database name = snort
> database:          host = localhost
> database: password is set
> database:   sensor name = w.x.y.z
> database:     sensor id = 2
> database: schema version = 100
> database: using the "log" facility
> 533 Snort rules read...
> 533 Option Chains linked into 199 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Rule application order: ->activation->dynamic->alert->pass->log
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.8-beta5 (Build 22)
> By Martin Roesch (roesch at ...66..., www.snort.org)
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x805d936 in AlertSyslog (p=0x0,
>     msg=0xbfffecb4 "spp_portscan: PORTSCAN DETECTED from w.x.y.z (THRESHOLD 5 connections exceeded in 1 seconds)", arg=0x813ffc0)
>     at spo_alert_syslog.c:345
> 345         ds_ptr = (PriorityData *) otn_tmp->ds_list[PLUGIN_PRIORITY_NUMBER];
> (gdb) bt
> #0  0x805d936 in AlertSyslog (p=0x0,
>     msg=0xbfffecb4 "spp_portscan: PORTSCAN DETECTED from w.x.y.z (THRESHOLD 5 connections exceeded in 1 seconds)", arg=0x813ffc0)
>     at spo_alert_syslog.c:345
> #1  0x8055e0d in CallAlertPlugins (p=0x0,
>     message=0xbfffecb4 "spp_portscan: PORTSCAN DETECTED from w.x.y.z (THRESHOLD 5 connections exceeded in 1 seconds)") at rules.c:3445
> #2  0x8055daa in CallAlertFuncs (p=0x0,
>     message=0xbfffecb4 "spp_portscan: PORTSCAN DETECTED from w.x.y.z (THRESHOLD 5 connections exceeded in 1 seconds)", head=0x0) at rules.c:3419
> #3  0x805b506 in PortscanPreprocFunction (p=0xbfffedc0) at spp_portscan.c:953
> #4  0x8055ca6 in Preprocess (p=0xbfffedc0) at rules.c:3358
> #5  0x804ac91 in ProcessPacket (user=0x0, pkthdr=0xbffff268, pkt=0x812848a "")
>     at snort.c:501
> #6  0x8077dcc in pcap_read ()
> #7  0x80783ec in pcap_loop ()
> #8  0x804c16f in InterfaceThread (arg=0x0) at snort.c:1377
> #9  0x804ab74 in main (argc=7, argv=0xbffff3f4) at snort.c:434
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list