[Snort-users] preprocessor stream4_reassemble: both

Vjay LaRosa vjayl at ...3331...
Mon Feb 4 08:30:07 EST 2002


Hello,

I posted a while back with this same problem, I was curious if any one
else is having the
same trouble.

Versions with the problem.
Snort Version 1.9-dev (Build 91)
Snort Version 1.8.4-beta1 (Build 91)

When I run snort with the "preprocessor stream4_reassemble: both" line
in my snort.conf
I get a core dump after a few minutes of snort processing traffic. I
have been trying to figure
out what is wrong. I have attached some GDB output to this E-mail, but I
don't know what
to do? I have no debugging knowledge of C programming so any help would
be appreciated.
Thanks!

vjl




                 srems# gdb /opt/snort-test/bin/snort /opt/snort-
                 test/core
                 GNU gdb 4.18
                 Copyright 1998 Free Software Foundation, Inc.
                 GDB is free software, covered by the GNU General
                 Public License, and you are
                 welcome to change it and/or distribute copies of it
                 under certain conditions.
                 Type "show copying" to see the conditions.
                 There is absolutely no warranty for GDB. Type "show
                 warranty" for details.
                 This GDB was configured as "sparc-sun-solaris2.8"...

                 warning: exec file is newer than core file.
                 Core was generated by `/opt/snort-test/bin/snort -i
                 qfe6 -c /opt/snort-test/conf
                 /snort.conf -l /opt/sn'.
                 Program terminated with signal 10, Bus Error.
                 #0 0x21d70 in DecodePPPoEPkt (p=0x6,
                 pkthdr=0xffbef800, pkt=0xb7d5a "")
                 at decode.c:1010
                 1010 ppppoe_tag = (PPPoE_Tag *)((char *)
                 (ppppoe_tag+1)+ntohs(tag.leng
                 th));
                 (gdb) where
                 #0 0x21d70 in DecodePPPoEPkt (p=0x6,
                 pkthdr=0xffbef800, pkt=0xb7d5a "")
                 at decode.c:1010
                 #1 0x2224c in DecodeIP (pkt=0x537c48 "",
                 len=2828993560, p=0xa0b48c00)
                 at decode.c:1271
                 #2 0x36a80 in PreprocUrlDecode (p=0x0) at
                 spp_http_decode.c:336
                 #3 0x34648 in ParseTCPFlags (rule=0x0, otn=0x0) at
                 sp_tcp_flag_check.c:162
                 #4 0x24138 in mSplit (str=0x0, sep=0x0, max_strs=0,
                 toks=0x0, meta=0 '\000')
                 at mstring.c:111
                 #5 0x1eb60 in PrintIpOptions (fp=0xffbef800, p=0x0)
                 at log.c:2079
                 #6 0x376dc in CreateNodeList (servers=0x1805c "\027")
                 at spp_http_decode.c:565
                 #7 0x38310 in ExpireConnections (scanList=0x0,
                 watchPeriod={tv_sec = 86148,
                 tv_usec = 0}, currentTime={tv_sec = 2147433618,
                 tv_usec = 16777216})
                 at spp_portscan.c:501
                 #8 0x201f0 in DecodeEthPkt (p=0x3c59c4b3, pkthdr=0x0,
                 pkt=0x0) at decode.c:98
                 #9 0x1e9fc in PrintIpOptions (fp=0x0, p=0x0) at
                 log.c:2050
                 (gdb) bt
                 #0 0x21d70 in DecodePPPoEPkt (p=0x6,
                 pkthdr=0xffbef800, pkt=0xb7d5a "")
                 at decode.c:1010
                 #1 0x2224c in DecodeIP (pkt=0x537c48 "",
                 len=2828993560, p=0xa0b48c00)
                 at decode.c:1271
                 #2 0x36a80 in PreprocUrlDecode (p=0x0) at
                 spp_http_decode.c:336
                 #3 0x34648 in ParseTCPFlags (rule=0x0, otn=0x0) at
                 sp_tcp_flag_check.c:162
                 #4 0x24138 in mSplit (str=0x0, sep=0x0, max_strs=0,
                 toks=0x0, meta=0 '\000')
                 at mstring.c:111
                 #5 0x1eb60 in PrintIpOptions (fp=0xffbef800, p=0x0)
                 at log.c:2079
                 #6 0x376dc in CreateNodeList (servers=0x1805c "\027")
                 at spp_http_decode.c:565
                 #7 0x38310 in ExpireConnections (scanList=0x0,
                 watchPeriod={tv_sec = 86148,
                 tv_usec = 0}, currentTime={tv_sec = 2147433618,
                 tv_usec = 16777216})
                 at spp_portscan.c:501
                 #8 0x201f0 in DecodeEthPkt (p=0x3c59c4b3, pkthdr=0x0,
                 pkt=0x0) at decode.c:98
                 #9 0x1e9fc in PrintIpOptions (fp=0x0, p=0x0) at
                 log.c:2050

--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com







More information about the Snort-users mailing list