[Snort-users] Re: +AFs-Snort-users+AF0- Re: Core on FreeBSD

Martin Roesch roesch at ...1935...
Mon Nov 5 12:24:05 EST 2001


"Ports default" is working fine here, although it is somewhat redundant
(since they're the default ports...)

    -Marty

"Robert D. Hughes" wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Oh... here's what confused me (from snort.conf comments):
> 
> +ACM- tcp stream reassembly directive
> +ACM- no arguments loads the default configuration (clientonly, ports
> default,
> +ACM- alerts on)
> +AF4AXgBeAF4AXgBeAF4AXgBeAF4AXgBeAF4-
> That led me to believe that alerts on was a valid argument. But why does
> it also core if I use +ACI-ports default+ACI-? I take it that also is not a
> valid argument?
> 
> Thanks,
> Rob
> 
> - -----Original Message-----
> From: Martin Roesch +AFs-mailto:roesch+AEA-sourcefire.com+AF0-
> Sent: Monday, November 05, 2001 8:57 AM
> To: Snort-users (E-mail)
> Subject: +AFs-Snort-users+AF0- Re: Core on FreeBSD
> 
> Ok, this quick answer is that +ACI-alerts on+ACI- isn't a valid option, so don't
> use that.  The real problem is that I make a call to FatalError() in the
> stream4 parsing code and I pass it a bad argument list, which I've now
> fixed.  Look in the comment block above the stram4+AF8-reassemble directive
> in snort.conf to see the valid options.
> 
> A fix has been committed to CVS.
> 
>      -MartyM3ln1bone
> 
> +ACI-Robert D. Hughes+ACI- wrote:
> +AD4-
> +AD4- -----BEGIN PGP SIGNED MESSAGE-----
> +AD4- Hash: SHA1
> +AD4-
> +AD4- All,
> +AD4-
> +AD4- When creating my snort.conf, I added the line +ACI-preprocessor
> +AD4- stream4+AF8-reassemble: both, ports default, alerts on+ACI-. This causes a
> core
> +AD4- dump on FreeBSD 4.4-STABLE. If I just use +ACI-preprocessor
> +AD4- stream4+AF8-reassemble: both+ACI- it works. Using +ACI-preprocessor
> +AD4- stream4+AF8-reassemble: both, ports 21 23 25 53 80 143 110 111 513 8880
> 2953
> +AD4- 2954+ACI- also works. Is there a known issue where using +ACI-ports default+ACI-
> +AD4- causes snort to core? This behavior also occurs if I use +ACI-ports all+ACI-
> as
> +AD4- is shown in the trace below.
> +AD4-
> +AD4- Thanks,
> +AD4- Rob Hughes
> +AD4- Voice (H) (972) 918-0980
> +AD4- Voice (C) (214) 282-7996
> +AD4- Email rob+AEA-robhughes.com
> +AD4-
> +AD4- +ACM-0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
> +AD4- (gdb) where
> +AD4- +ACM-0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
> +AD4- +ACM-1  0x282a6ec4 in fprintf () from /usr/lib/libc.so.4
> +AD4- +ACM-2  0x282a721a in vfprintf () from /usr/lib/libc.so.4
> +AD4- +ACM-3  0x804dbbb in FatalError (format+AD0-0x808d560 +ACI-ERROR +ACU-s(+ACU-d) +AD0APg- Bad
> +AD4- stream4+AF8-reassemble option specified: +AFwAIgAl-s+AFwAIgBc-n+ACI-)
> +AD4-     at snort.c:2808
> +AD4- +ACM-4  0x807732f in Stream4InitReassembler (args+AD0-0x80ba400 +ACI-both, ports
> +AD4- all, alerts on+ACI-) at spp+AF8-stream4.c:885
> +AD4- +ACM-5  0x8054966 in ParsePreprocessor (rule+AD0-0xbfbfd694 +ACI-preprocessor
> +AD4- stream4+AF8-reassemble: both, ports all, alerts on+ACI-)
> +AD4-     at rules.c:1327
> +AD4- +ACM-6  0x805417b in ParseRule (rule+AF8-file+AD0-0x282cc800,
> +AD4-     prule+AD0-0xbfbff744 +ACI-preprocessor stream4+AF8-reassemble: both, ports
> all,
> +AD4- alerts on+ACI-, inclevel+AD0-0) at rules.c:539
> +AD4- +ACM-7  0x8053cd7 in ParseRulesFile (file+AD0-0x8097a78
> +AD4- +ACI-/usr/local/etc/snort/snort.conf+ACI-, inclevel+AD0-0) at rules.c:198
> +AD4- +ACM-8  0x804b38a in main (argc+AD0-9, argv+AD0-0xbfbffbd8) at snort.c:335
> +AD4- +ACM-9  0x804ae85 in +AF8-start ()
> +AD4- (gdb) bt
> +AD4- +ACM-0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
> +AD4- +ACM-1  0x282a6ec4 in fprintf () from /usr/lib/libc.so.4
> +AD4- +ACM-2  0x282a721a in vfprintf () from /usr/lib/libc.so.4
> +AD4- +ACM-3  0x804dbbb in FatalError (format+AD0-0x808d560 +ACI-ERROR +ACU-s(+ACU-d) +AD0APg- Bad
> +AD4- stream4+AF8-reassemble option specified: +AFwAIgAl-s+AFwAIgBc-n+ACI-)
> +AD4-     at snort.c:2808
> +AD4- +ACM-4  0x807732f in Stream4InitReassembler (args+AD0-0x80ba400 +ACI-both, ports
> +AD4- all, alerts on+ACI-) at spp+AF8-stream4.c:885
> +AD4- +ACM-5  0x8054966 in ParsePreprocessor (rule+AD0-0xbfbfd694 +ACI-preprocessor
> +AD4- stream4+AF8-reassemble: both, ports all, alerts on+ACI-)
> +AD4-     at rules.c:1327
> +AD4- +ACM-6  0x805417b in ParseRule (rule+AF8-file+AD0-0x282cc800,
> +AD4-     prule+AD0-0xbfbff744 +ACI-preprocessor stream4+AF8-reassemble: both, ports
> all,
> +AD4- alerts on+ACI-, inclevel+AD0-0) at rules.c:539
> +AD4- +ACM-7  0x8053cd7 in ParseRulesFile (file+AD0-0x8097a78
> +AD4- +ACI-/usr/local/etc/snort/snort.conf+ACI-, inclevel+AD0-0) at rules.c:198
> +AD4- +ACM-8  0x804b38a in main (argc+AD0-9, argv+AD0-0xbfbffbd8) at snort.c:335
> +AD4- +ACM-9  0x804ae85 in +AF8-start ()
> +AD4-
> +AD4- +AF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8-
> +AD4-
> +AD4- +ACI-Great spirits have always encountered violent opposition from
> mediocre
> +AD4- minds.+ACI- -- Albert Einstein
> +AD4-
> +AD4- -----BEGIN PGP SIGNATURE-----
> +AD4- Version: PGP 7.0.4
> +AD4-
> +AD4- iQA/AwUBO????????????????????
> +AD4- b??????+AKY-?
> +AD4- +AD0-0Kjj
> +AD4- -----END PGP SIGNATURE-----
> +AD4-
> +AD4-
> ------------------------------------------------------------------------
> +AD4-                          Name: PGPexch.htm.asc
> +AD4-    PGPexch.htm.asc       Type: unspecified type
> (application/octet-stream)
> +AD4-                      Encoding: base64
> +AD4-                   Description: PGPexch.htm.asc
> 
> - --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch+AEA-sourcefire.com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> +AF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXw-
> Snort-users mailing list
> Snort-users+AEA-lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list+AD0-snort-users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.4
> 
> iQA/AwUBO+-bPa+-a2P6TrxG1EEQKTmgCfQc/vtvN2ufDSGcELrbcJcIagJ9IAn0r6
> l68qlmDo64k4JlfcVp2LbmPT
> +AD0-T70x
> -----END PGP SIGNATURE-----
> 
>   ------------------------------------------------------------------------
>                          Name: PGPexch.htm.asc
>    PGPexch.htm.asc       Type: unspecified type (application/octet-stream)
>                      Encoding: base64
>                   Description: PGPexch.htm.asc

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com 
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list