[Snort-users] GDB for Snort 1.9.0beta crashes on RH7.3 after 1 attack using mysql output

Roman Danyliw roman at ...438...
Mon Aug 12 10:38:02 EDT 2002


Max,

Sorry about my previous post, I missed your later backtrace email message.  I
just committed a patch to the database plugin that should fix this issue. 
Please give it a try and confirm that the issue has been resolved.

Roman

On 05 Aug 2002 19:51:03 -0500, max valdez <max at ...6164...> wrote :

> I'm getting more insight on the new beta, I can see the alerts on text,
> but any time I try mysql snort crashes at the first alert log, no hints
> on /var/log/mysql, or messages, no error at all, only stop working
> (disapear on ps).
> 
> I'm making a gdb trace, here it is:
> 
> ----------------
> 
> Rule application order: ->activation->dynamic->alert->pass->log
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.9.0beta1 (Build 180)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x08056cc4 in vsnprintf (str=0x857ea08 ",1", count=8192, fmt=0x808302c
> ",%u",
>     args=0xbfffee1c) at snprintf.c:114
> 114             DoprEnd[0] = 0;
> (gdb) where
> #0  0x08056cc4 in vsnprintf (str=0x857ea08 ",1", count=8192,
>     fmt=0x808302c ",%u", args=0xbfffee1c) at snprintf.c:114
> #1  0x08056c84 in snprintf (str=0x857ea08 ",1", count=8192,
>     fmt=0x808302c ",%u") at snprintf.c:93
> #2  0x0805f45d in Database (p=0xbfffefc0, msg=0x84d8250 "SHELLCODE x86
> NOOP",
>     arg=0x8174cb0, event=0x84d7fe0) at spo_database.c:880
> #3  0x0805a0b6 in CallLogFuncs (p=0xbfffefc0,
>     message=0x84d8250 "SHELLCODE x86 NOOP", head=0x80bf200,
> event=0x84d7fe0)
>     at detect.c:179
> #4  0x0805ae80 in AlertAction (p=0xbfffefc0, otn=0x84d7ea0,
> event=0x84d7fe0)
>     at detect.c:1789
> #5  0x0805a481 in EvalHeader (rtn_idx=0x8177598, p=0xbfffefc0,
> check_ports=0)
>     at detect.c:677
> #6  0x0805a369 in EvalPacket (List=0x80bf200, mode=2, p=0xbfffefc0)
>     at detect.c:523
> #7  0x0805a268 in Detect (p=0xbfffefc0) at detect.c:311
> #8  0x08059f4f in Preprocess (p=0xbfffefc0) at detect.c:86
> #9  0x08055110 in ProcessPacket (user=0x0, pkthdr=0xbffff480,
> pkt=0x8151d1a "")
>     at snort.c:580
> #10 0x080713ef in pcap_read_packet ()
> #11 0x08072287 in pcap_loop ()
> #12 0x080563df in InterfaceThread (arg=0x0) at snort.c:1612
> #13 0x08054ffb in SnortMain (argc=5, argv=0xbffff674) at snort.c:514
> #14 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
> (gdb) bt
> #0  0x08056cc4 in vsnprintf (str=0x857ea08 ",1", count=8192,
>     fmt=0x808302c ",%u", args=0xbfffee1c) at snprintf.c:114
> #1  0x08056c84 in snprintf (str=0x857ea08 ",1", count=8192,
>     fmt=0x808302c ",%u") at snprintf.c:93
> #2  0x0805f45d in Database (p=0xbfffefc0, msg=0x84d8250 "SHELLCODE x86
> NOOP",
>     arg=0x8174cb0, event=0x84d7fe0) at spo_database.c:880
> #3  0x0805a0b6 in CallLogFuncs (p=0xbfffefc0,
>     message=0x84d8250 "SHELLCODE x86 NOOP", head=0x80bf200,
> event=0x84d7fe0)
>     at detect.c:179
> #4  0x0805ae80 in AlertAction (p=0xbfffefc0, otn=0x84d7ea0,
> event=0x84d7fe0)
>     at detect.c:1789
> #5  0x0805a481 in EvalHeader (rtn_idx=0x8177598, p=0xbfffefc0,
> check_ports=0)
>     at detect.c:677
> #6  0x0805a369 in EvalPacket (List=0x80bf200, mode=2, p=0xbfffefc0)
>     at detect.c:523
> #7  0x0805a268 in Detect (p=0xbfffefc0) at detect.c:311
> #8  0x08059f4f in Preprocess (p=0xbfffefc0) at detect.c:86
> #9  0x08055110 in ProcessPacket (user=0x0, pkthdr=0xbffff480,
> pkt=0x8151d1a "")
>     at snort.c:580
> #10 0x080713ef in pcap_read_packet ()
> #11 0x08072287 in pcap_loop ()
> #12 0x080563df in InterfaceThread (arg=0x0) at snort.c:1612
> #13 0x08054ffb in SnortMain (argc=5, argv=0xbffff674) at snort.c:514
> #14 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
> ---------------------------------.
> 
> 
> -- 
> -----BEGIN GEEK CODE BLOCK-----
> GS/
>
d-s:a-C++ILIHA+++P-L++E--W++N+K-w++++O-M--V--PS+PEY+PGP-tXRtv++b+DI--D+Ge++h---r+++z+++
> -----END GEEK CODE BLOCK-----
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 




More information about the Snort-users mailing list